CVE-2022-42916 : In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Published 2022-10-29 02:15:09

Updated 2024-03-27 14:59:03

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-42916

Apple » Macos
Versions from including (>=) 13.0 and before (<) 13.2
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Matching versions
Apple » Macos
Versions before (<) 12.6.3
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Splunk » Universal Forwarder
Versions from including (>=) 8.2.0 and before (<) 8.2.12
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
Matching versions
Splunk » Universal Forwarder
Versions from including (>=) 9.0.0 and before (<) 9.0.6
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
Matching versions
Splunk » Universal Forwarder » Version: 9.1.0
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl
Versions from including (>=) 7.77.0 and before (<) 7.86.0
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-42916

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 8 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-42916

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2022-42916

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-42916

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/

[SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
http://seclists.org/fulldisclosure/2023/Jan/20

Full Disclosure: APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/

[SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202212-01

curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://seclists.org/fulldisclosure/2023/Jan/19

Full Disclosure: APPLE-SA-2023-01-23-4 macOS Ventura 13.2
Mailing List;Third Party Advisory

CVEs referencing this url
https://curl.se/docs/CVE-2022-42916.html

curl - HSTS bypass via IDN - CVE-2022-42916
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/

[SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://support.apple.com/kb/HT213604

About the security content of macOS Monterey 12.6.3 - Apple Support
Third Party Advisory

CVEs referencing this url
https://support.apple.com/kb/HT213605

About the security content of macOS Ventura 13.2 - Apple Support
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/

[SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/

[SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20221209-0010/

October 2022 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security
Broken Link

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2022/12/21/1

oss-security - curl: CVE-2022-43551: Another HSTS bypass via IDN
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/

[SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-42916

Products affected by CVE-2022-42916

Exploit prediction scoring system (EPSS) score for CVE-2022-42916

CVSS scores for CVE-2022-42916

CWE ids for CVE-2022-42916

References for CVE-2022-42916