First published: Mon Jun 20 2022(Updated: )
A vulnerability was found in curl. This issue occurs because the number of acceptable "links" in the "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. This flaw leads to a denial of service, either by mistake or by a malicious actor.
Credit: support@hackerone.com CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24-curl | <0:7.86.0-2.el8 | 0:7.86.0-2.el8 |
redhat/jbcs-httpd24-curl | <0:7.86.0-2.el7 | 0:7.86.0-2.el7 |
redhat/curl | <0:7.61.1-22.el8_6.4 | 0:7.61.1-22.el8_6.4 |
redhat/curl | <0:7.61.1-18.el8_4.3 | 0:7.61.1-18.el8_4.3 |
redhat/curl | <0:7.76.1-14.el9_0.5 | 0:7.76.1-14.el9_0.5 |
debian/curl | <=7.64.0-4+deb10u2 | 7.64.0-4+deb10u7 7.74.0-1.3+deb11u9 7.74.0-1.3+deb11u10 7.88.1-10+deb12u3 7.88.1-10+deb12u4 8.4.0-2 |
Apple macOS Ventura | <13 | 13 |
redhat/curl | <7.84.0 | 7.84.0 |
Haxx Curl | <7.84.0 | |
Fedoraproject Fedora | =35 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
NetApp Clustered Data ONTAP | ||
Netapp Element Software | ||
Netapp Hci Management Node | ||
Netapp Solidfire | ||
Netapp Bootstrap Os | ||
Netapp Hci Compute Node | ||
Netapp H300s Firmware | ||
Netapp H300s | ||
Netapp H500s Firmware | ||
Netapp H500s | ||
Netapp H700s Firmware | ||
Netapp H700s | ||
Netapp H410s Firmware | ||
Netapp H410s | ||
Siemens Scalance Sc622-2c Firmware | <3.0 | |
Siemens Scalance Sc622-2c | ||
Siemens Scalance Sc626-2c Firmware | <3.0 | |
Siemens Scalance Sc626-2c | ||
Siemens Scalance Sc632-2c Firmware | <3.0 | |
Siemens Scalance Sc632-2c | ||
Siemens Scalance Sc636-2c Firmware | <3.0 | |
Siemens Scalance Sc636-2c | ||
Siemens Scalance Sc642-2c Firmware | <3.0 | |
Siemens Scalance Sc642-2c | ||
Siemens Scalance Sc646-2c Firmware | <3.0 | |
Siemens Scalance Sc646-2c | ||
All of | ||
Netapp Hci Compute Node | ||
Netapp Bootstrap Os | ||
All of | ||
Netapp H300s | ||
Netapp H300s Firmware | ||
All of | ||
Netapp H500s | ||
Netapp H500s Firmware | ||
All of | ||
Netapp H700s | ||
Netapp H700s Firmware | ||
All of | ||
Netapp H410s | ||
Netapp H410s Firmware | ||
All of | ||
Siemens Scalance Sc622-2c | ||
Siemens Scalance Sc622-2c Firmware | <3.0 | |
All of | ||
Siemens Scalance Sc626-2c | ||
Siemens Scalance Sc626-2c Firmware | <3.0 | |
All of | ||
Siemens Scalance Sc632-2c Firmware | <3.0 | |
Siemens Scalance Sc632-2c | ||
All of | ||
Siemens Scalance Sc636-2c Firmware | <3.0 | |
Siemens Scalance Sc636-2c | ||
All of | ||
Siemens Scalance Sc642-2c Firmware | <3.0 | |
Siemens Scalance Sc642-2c | ||
All of | ||
Siemens Scalance Sc646-2c Firmware | <3.0 | |
Siemens Scalance Sc646-2c | ||
Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
Splunk Universal Forwarder | =9.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2022-32206 is a vulnerability in curl that allows a malicious server to insert a virtually unlimited number of links in the decompression chain.
CVE-2022-32206 has a severity rating of 6.5 (Medium).
Software versions of curl < 7.84.0 and some versions of jbcs-httpd24-curl, curl for Red Hat, curl for Debian, and Apple macOS Ventura are affected by CVE-2022-32206.
To fix CVE-2022-32206, update your curl software to version 7.84.0 or higher.
You can find more information about CVE-2022-32206 at the following sources: CVE website, NIST NVD, curl documentation, Red Hat Bugzilla, and Red Hat Security Advisory.