CVE-2022-42916

curl: HSTS bypass via IDN

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

En curl anterior a 7.86.0, se podía omitir la verificación HSTS para engañarlo y que se quedara con HTTP. Usando su soporte HSTS, se puede indicar a curl que use HTTPS directamente (en lugar de usar un paso HTTP de texto limpio inseguro) incluso cuando se proporciona HTTP en la URL. Este mecanismo podría omitirse si el nombre de anfitrión en la URL dada usa caracteres IDN que se reemplazan con sus homólogos ASCII como parte de la conversión de IDN, por ejemplo, usando el carácter UTF-8 U+3002 (DEOGRAPHIC FULL STOP) en lugar del ASCII común. punto final de U+002E (.). La primera versión afectada es la 7.77.0 2021-05-26.

A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-10-13 CVE Reserved
2022-10-27 CVE Published
2024-05-21 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-319: Cleartext Transmission of Sensitive Information

CAPEC

References (13)

URL	Tag	Source
http://seclists.org/fulldisclosure/2023/Jan/19	Mailing List
http://seclists.org/fulldisclosure/2023/Jan/20	Mailing List
http://www.openwall.com/lists/oss-security/2022/12/21/1	Mailing List
https://security.netapp.com/advisory/ntap-20221209-0010	Broken Link
https://support.apple.com/kb/HT213604	Third Party Advisory
https://support.apple.com/kb/HT213605	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://curl.se/docs/CVE-2022-42916.html	2024-03-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2	2024-03-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76	2024-03-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK	2024-03-27
https://security.gentoo.org/glsa/202212-01	2024-03-27
https://access.redhat.com/security/cve/CVE-2022-42916	2022-12-08
https://bugzilla.redhat.com/show_bug.cgi?id=2135416	2022-12-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Haxx Search vendor "Haxx"		Curl Search vendor "Haxx" for product "Curl"				>= 7.77.0 < 7.86.0 Search vendor "Haxx" for product "Curl" and version " >= 7.77.0 < 7.86.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Apple Search vendor "Apple"		Macos Search vendor "Apple" for product "Macos"				< 12.6.3 Search vendor "Apple" for product "Macos" and version " < 12.6.3"		-		Affected
Apple Search vendor "Apple"		Macos Search vendor "Apple" for product "Macos"				>= 13.0 < 13.2 Search vendor "Apple" for product "Macos" and version " >= 13.0 < 13.2"		-		Affected
Splunk Search vendor "Splunk"		Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder"				>= 8.2.0 < 8.2.12 Search vendor "Splunk" for product "Universal Forwarder" and version " >= 8.2.0 < 8.2.12"		-		Affected
Splunk Search vendor "Splunk"		Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder"				>= 9.0.0 < 9.0.6 Search vendor "Splunk" for product "Universal Forwarder" and version " >= 9.0.0 < 9.0.6"		-		Affected
Splunk Search vendor "Splunk"		Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder"				9.1.0 Search vendor "Splunk" for product "Universal Forwarder" and version "9.1.0"		-		Affected