CVE-2022-42916
First published: Mon Oct 17 2022(Updated: )
A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`.
Credit: cve@mitre.org CVE-2022-42915 CVE-2022-42916 CVE-2022-32221 CVE-2022-35260 CVE-2022-42915 CVE-2022-42916 CVE-2022-32221 CVE-2022-35260 cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-curl | <0:7.86.0-2.el8 | 0:7.86.0-2.el8 |
| redhat/jbcs-httpd24-curl | <0:7.86.0-2.el7 | 0:7.86.0-2.el7 |
| Haxx Curl | >=7.77.0<7.86.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Apple macOS | <12.6.3 | |
| Apple macOS | >=13.0<13.2 | |
| Apple macOS Ventura | <13.2 | 13.2 |
| redhat/curl | <7.86.0 | 7.86.0 |
| Apple macOS Monterey | <12.6.3 | 12.6.3 |
| Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
| Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
| Splunk Universal Forwarder | =9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-42916 https://nvd.nist.gov/vuln/detail/CVE-2022-42916 https://curl.se/docs/CVE-2022-42916.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2135416
- https://access.redhat.com/errata/RHSA-2022:8840
- https://access.redhat.com/errata/RHSA-2022:8841
- https://access.redhat.com/security/cve/cve-2022-42916
- http://seclists.org/fulldisclosure/2023/Jan/19
- http://seclists.org/fulldisclosure/2023/Jan/20
- http://www.openwall.com/lists/oss-security/2022/12/21/1
- https://curl.se/docs/CVE-2022-42916.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/
- https://security.gentoo.org/glsa/202212-01
- https://security.netapp.com/advisory/ntap-20221209-0010/
- https://support.apple.com/kb/HT213604
- https://support.apple.com/kb/HT213605
- https://support.apple.com/en-us/HT213605 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2137769
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2137770
- https://support.apple.com/en-us/HT213604 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2023-32438
- CVE-2023-23499
- CVE-2023-23520
- CVE-2022-42915
- CVE-2022-42916
- CVE-2022-32221
- CVE-2022-35260
- CVE-2023-23539
- CVE-2023-23513
- CVE-2023-23493
- CVE-2023-41990
- CVE-2023-23530
- CVE-2023-23531
- CVE-2023-23519
- CVE-2023-23507
- CVE-2023-23516
- CVE-2023-23500
- CVE-2023-23502
- CVE-2023-23504
- CVE-2023-23506
- CVE-2023-23498
- CVE-2023-23503
- CVE-2023-28208
- CVE-2023-23497
- CVE-2023-23510
- CVE-2023-23512
- CVE-2023-23505
- CVE-2022-3705
- CVE-2023-23511
- CVE-2023-32393
- CVE-2023-23496
- CVE-2023-23518
- CVE-2023-23517
- CVE-2023-23501
- CVE-2023-23508
- CVE-2022-0108
- CVE-2022-35252
- CVE-2022-32915
- CVE-2022-42834
- CVE-2023-27931
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-42916.
What is the severity of CVE-2022-42916?
The severity of CVE-2022-42916 is high.
How can this vulnerability be exploited?
This vulnerability can be exploited by bypassing the HSTS check in curl before version 7.86.0, allowing an attacker to trick it into staying with HTTP.
Which software versions are affected by CVE-2022-42916?
macOS Monterey version 12.6.3, curl version up to 7.86.0, jbcs-httpd24-curl version up to 0:7.86.0-2.el8, jbcs-httpd24-curl version up to 0:7.86.0-2.el7, and macOS Ventura version up to 13.2.
How do I fix CVE-2022-42916?
To fix CVE-2022-42916, update to curl version 7.86.0 or newer.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-42916
- agent/software-canonical-lookup
- agent/event
- agent/description
- collector/nvd-api
- source/NVD
- agent/author
- agent/references
- agent/softwarecombine
- agent/tags
- collector/apple-support
- source/Apple
- alias/CVE-2022-32221
- alias/CVE-2022-35260
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/7.77.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- vendor/apple
- canonical/apple macos
- version/apple macos/13.0
- vendor/splunk
- canonical/splunk universal forwarder
- version/splunk universal forwarder/8.2.0
- version/splunk universal forwarder/9.0.0
- version/splunk universal forwarder/9.1.0
- canonical/apple macos ventura
- canonical/apple macos monterey