Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
Published 2022-06-02 14:15:52
Updated 2023-01-05 17:50:53
Source HackerOne
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-30115

Probability of exploitation activity in the next 30 days: 0.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-30115

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source
4.0
MEDIUM AV:N/AC:L/Au:S/C:P/I:N/A:N
8.0
2.9
NIST
4.3
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
2.8
1.4
NIST

CWE ids for CVE-2022-30115

  • The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
    Assigned by: nvd@nist.gov (Primary)
  • The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
    Assigned by: support@hackerone.com (Secondary)

References for CVE-2022-30115

Products affected by CVE-2022-30115

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!