// For flags

CVE-2022-43551

curl: HSTS bypass via IDN

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Existe una vulnerabilidad en la verificación HSTS de curl &lt;7.87.0 que podría omitirse para engañarlo y seguir usando HTTP. Usando su soporte HSTS, se puede indicar a curl que use HTTPS en lugar de usar un paso HTTP de texto plano inseguro incluso cuando se proporciona HTTP en la URL. Sin embargo, el mecanismo HSTS podría omitirse si el nombre de host en la URL dada utiliza primero caracteres IDN que se reemplazan por sus homólogos ASCII como parte de la conversión de IDN. Como usar el carácter UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) en lugar del punto común ASCII (U+002E) `.`. Luego, en una solicitud posterior, no detecta el estado HSTS y realiza una transferencia de texto plano. Porque almacenaría la información IDN codificada pero la buscaría IDN decodificada.

A vulnerability was found in curl. The issue can occur when curl's HSTS check is bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of an insecure clear-text HTTP step even when providing HTTP in the URL. Suppose the hostname in the given URL first uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. In that case, it can bypass the HSTS mechanism using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E). Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the information, IDN encoded but looked for it as IDN decoded.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-10-20 CVE Reserved
  • 2022-12-23 CVE Published
  • 2024-07-15 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-319: Cleartext Transmission of Sensitive Information
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Haxx
Search vendor "Haxx"
Curl
Search vendor "Haxx" for product "Curl"
>= 7.77.0 < 7.87.0
Search vendor "Haxx" for product "Curl" and version " >= 7.77.0 < 7.87.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-windows
Affected
Netapp
Search vendor "Netapp"
Oncommand Insight
Search vendor "Netapp" for product "Oncommand Insight"
--
Affected
Netapp
Search vendor "Netapp"
Oncommand Workflow Automation
Search vendor "Netapp" for product "Oncommand Workflow Automation"
--
Affected
Netapp
Search vendor "Netapp"
Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Splunk
Search vendor "Splunk"
Universal Forwarder
Search vendor "Splunk" for product "Universal Forwarder"
>= 8.2.0 < 8.2.12
Search vendor "Splunk" for product "Universal Forwarder" and version " >= 8.2.0 < 8.2.12"
-
Affected
Splunk
Search vendor "Splunk"
Universal Forwarder
Search vendor "Splunk" for product "Universal Forwarder"
>= 9.0.0 < 9.0.6
Search vendor "Splunk" for product "Universal Forwarder" and version " >= 9.0.0 < 9.0.6"
-
Affected
Splunk
Search vendor "Splunk"
Universal Forwarder
Search vendor "Splunk" for product "Universal Forwarder"
9.1.0
Search vendor "Splunk" for product "Universal Forwarder" and version "9.1.0"
-
Affected