Vulnerability Details : CVE-2022-35252
Potential exploit
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
Products affected by CVE-2022-35252
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-35252
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-35252
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
2.2
|
1.4
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-05-05 |
|
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
2.2
|
1.4
|
NIST |
CWE ids for CVE-2022-35252
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: support@hackerone.com (Secondary)
References for CVE-2022-35252
-
http://seclists.org/fulldisclosure/2023/Jan/20
Full Disclosure: APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3Mailing List;Third Party Advisory
-
https://support.apple.com/kb/HT213603
About the security content of macOS Big Sur 11.7.3 - Apple SupportThird Party Advisory
-
https://security.gentoo.org/glsa/202212-01
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo securityThird Party Advisory
-
https://hackerone.com/reports/1613943
HackerOneExploit;Issue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html
[SECURITY] [DLA 3288-1] curl security updateMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220930-0005/
CVE-2022-35252 cURL/libcURL Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://seclists.org/fulldisclosure/2023/Jan/21
Full Disclosure: APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3Mailing List;Third Party Advisory
-
https://support.apple.com/kb/HT213604
About the security content of macOS Monterey 12.6.3 - Apple SupportThird Party Advisory
Jump to