Home > Vulnerability Database > CVE-2022-42916

Mend.io Vulnerability Database

CVE-2022-42916

Good to know:

Date: October 28, 2022

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Language: C

Severity Score

7.5

Related Resources (18)

Url: http://seclists.org/fulldisclosure/2023/Jan/20

Url: https://security.netapp.com/advisory/ntap-20221209-0010/

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-42916

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/

Url: https://support.apple.com/kb/HT213604

Url: https://support.apple.com/kb/HT213605

Url: https://curl.se/docs/CVE-2022-42916.html

Url: https://security-tracker.debian.org/tracker/CVE-2022-42916

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/

Url: http://seclists.org/fulldisclosure/2023/Jan/19

Url: https://security.gentoo.org/glsa/202212-01

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2022-42916

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/

Url: http://www.openwall.com/lists/oss-security/2022/12/21/1

Url: https://www.mend.io/vulnerability-database/CVE-2022-42916

Severity Score

7.5

Weakness Type (CWE)

Cleartext Transmission of Sensitive Information

CWE-319

Top Fix

Upgrade Version

Upgrade to version curl-7_86_0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-42916

Good to know:

Date: October 28, 2022

Language: C

Severity Score

Related Resources (18)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?