CVE-2022-27782
First published: Wed Jun 01 2022(Updated: )
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/curl | <=7.64.0-4+deb10u2 | 7.64.0-4+deb10u7 7.74.0-1.3+deb11u9 7.74.0-1.3+deb11u10 7.88.1-10+deb12u3 7.88.1-10+deb12u4 8.4.0-2 |
| Haxx Curl | <7.83.1 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
| Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
| Splunk Universal Forwarder | =9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.openwall.com/lists/oss-security/2022/05/11/5
- https://curl.se/docs/CVE-2022-27782.html
- https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c
- https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5
- https://security-tracker.debian.org/tracker/CVE-2022-27782
- http://www.openwall.com/lists/oss-security/2023/03/20/6
- https://hackerone.com/reports/1555796
- https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
- https://security.gentoo.org/glsa/202212-01
- https://security.netapp.com/advisory/ntap-20220609-0009/
- https://www.debian.org/security/2022/dsa-5197
Frequently Asked Questions
What is CVE-2022-27782?
CVE-2022-27782 is a vulnerability in libcurl that allows the reuse of a previously created connection even when a TLS or SSH-related option had been changed that should have prohibited reuse.
What is the severity of CVE-2022-27782?
The severity of CVE-2022-27782 is not stated in the provided information.
How does libcurl handle previously used connections?
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.
Which versions of curl are affected by CVE-2022-27782?
Versions 7.64.0-4+deb10u6, 7.74.0-1.3+deb11u7, 7.88.1-10, 7.88.1-10+deb12u1, 7.88.1-11, and 8.2.1-1 of curl on Debian are affected by CVE-2022-27782.
How can I fix CVE-2022-27782?
Apply the recommended patches or updates provided by Debian for curl versions 7.64.0-4+deb10u6, 7.74.0-1.3+deb11u7, 7.88.1-10, 7.88.1-10+deb12u1, 7.88.1-11, and 8.2.1-1.
- collector/security-tracker-debian
- collector/nvd-index
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/haxx
- canonical/haxx curl
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/splunk
- canonical/splunk universal forwarder
- version/splunk universal forwarder/8.2.0
- version/splunk universal forwarder/9.0.0
- version/splunk universal forwarder/9.1.0