CVE-2022-35260

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

Se puede indicar a curl que analice un archivo `.netrc` en busca de credenciales. Si ese archivo termina en una línea con 4095 letras de espacios consecutivos que no sean espacios en blanco y sin nueva línea, curl primero leerá más allá del final del búfer basado en pila y, si la lectura funciona, escribirá un byte cero más allá de su límite. En la mayoría de los casos, esto causará una falla de segmento o similar, pero las circunstancias también pueden causar resultados diferentes. Si un usuario malintencionado puede proporcionar un archivo netrc personalizado a una aplicación o afectar su contenido de otra manera, esta falla podría usarse como Denegación de Servicio (DoS).

*Credits: N/A

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-06 CVE Reserved
2022-10-27 CVE Published
2024-07-26 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-125: Out-of-bounds Read
CWE-787: Out-of-bounds Write

CAPEC

References (7)

URL	Tag	Source
http://seclists.org/fulldisclosure/2023/Jan/19	Mailing List
http://seclists.org/fulldisclosure/2023/Jan/20	Mailing List
https://security.netapp.com/advisory/ntap-20230110-0006	Third Party Advisory
https://support.apple.com/kb/HT213604	Third Party Advisory
https://support.apple.com/kb/HT213605	Third Party Advisory

URL	Date	SRC
https://hackerone.com/reports/1721098	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://security.gentoo.org/glsa/202212-01	2024-03-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	H300s Firmware Search vendor "Netapp" for product "H300s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H300s Search vendor "Netapp" for product "H300s"	-	-	Safe
Netapp Search vendor "Netapp"	H500s Firmware Search vendor "Netapp" for product "H500s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H500s Search vendor "Netapp" for product "H500s"	-	-	Safe
Netapp Search vendor "Netapp"	H700s Firmware Search vendor "Netapp" for product "H700s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H700s Search vendor "Netapp" for product "H700s"	-	-	Safe
Netapp Search vendor "Netapp"	H410s Firmware Search vendor "Netapp" for product "H410s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H410s Search vendor "Netapp" for product "H410s"	-	-	Safe
Haxx Search vendor "Haxx"		Curl Search vendor "Haxx" for product "Curl"				>= 7.84.0 < 7.86.0 Search vendor "Haxx" for product "Curl" and version " >= 7.84.0 < 7.86.0"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				-		-		Affected
Apple Search vendor "Apple"		Macos Search vendor "Apple" for product "Macos"				< 12.6.3 Search vendor "Apple" for product "Macos" and version " < 12.6.3"		-		Affected
Splunk Search vendor "Splunk"		Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder"				>= 8.2.0 < 8.2.12 Search vendor "Splunk" for product "Universal Forwarder" and version " >= 8.2.0 < 8.2.12"		-		Affected
Splunk Search vendor "Splunk"		Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder"				>= 9.0.0 < 9.0.6 Search vendor "Splunk" for product "Universal Forwarder" and version " >= 9.0.0 < 9.0.6"		-		Affected
Splunk Search vendor "Splunk"		Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder"				9.1.0 Search vendor "Splunk" for product "Universal Forwarder" and version "9.1.0"		-		Affected