logo
DATABASE RESOURCES PRICING ABOUT US

Medium: curl

Description

**Issue Overview:** A vulnerability was found in curl. This security flaw allows reusing OAUTH2-authenticated connections without properly ensuring that the connection was authenticated with the same credentials set for this transfer. This issue leads to an authentication bypass, either by mistake or by a malicious actor. (CVE-2022-22576) A vulnerability was found in curl. This security flaw allows leaking credentials to other servers when it follows redirects from auth-protected HTTP(S) URLs to other protocols and port numbers. (CVE-2022-27774) A vulnerability was found in curl. This security flaw occurs due to errors in the logic where the config matching function did not take the IPv6 address zone id into account. This issue can lead to curl reusing the wrong connection when one transfer uses a zone id, and the subsequent transfer uses another. (CVE-2022-27775) A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:`headers. Those headers often contain privacy-sensitive information or data. (CVE-2022-27776) **Affected Packages:** curl **Issue Correction:** Run _yum update curl_ to update your system. **New Packages:** aarch64:     curl-7.79.1-2.amzn2.0.1.aarch64     libcurl-7.79.1-2.amzn2.0.1.aarch64     libcurl-devel-7.79.1-2.amzn2.0.1.aarch64     curl-debuginfo-7.79.1-2.amzn2.0.1.aarch64 i686:     curl-7.79.1-2.amzn2.0.1.i686     libcurl-7.79.1-2.amzn2.0.1.i686     libcurl-devel-7.79.1-2.amzn2.0.1.i686     curl-debuginfo-7.79.1-2.amzn2.0.1.i686 src:     curl-7.79.1-2.amzn2.0.1.src x86_64:     curl-7.79.1-2.amzn2.0.1.x86_64     libcurl-7.79.1-2.amzn2.0.1.x86_64     libcurl-devel-7.79.1-2.amzn2.0.1.x86_64     curl-debuginfo-7.79.1-2.amzn2.0.1.x86_64 ### Additional References Red Hat: [CVE-2022-22576](<https://access.redhat.com/security/cve/CVE-2022-22576>), [CVE-2022-27774](<https://access.redhat.com/security/cve/CVE-2022-27774>), [CVE-2022-27775](<https://access.redhat.com/security/cve/CVE-2022-27775>), [CVE-2022-27776](<https://access.redhat.com/security/cve/CVE-2022-27776>) Mitre: [CVE-2022-22576](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576>), [CVE-2022-27774](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774>), [CVE-2022-27775](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775>), [CVE-2022-27776](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776>)


Affected Package


OS OS Version Package Name Package Version
Amazon Linux 2 curl 7.79.1-2.amzn2.0.1
Amazon Linux 2 libcurl 7.79.1-2.amzn2.0.1
Amazon Linux 2 libcurl-devel 7.79.1-2.amzn2.0.1
Amazon Linux 2 curl-debuginfo 7.79.1-2.amzn2.0.1
Amazon Linux 2 curl 7.79.1-2.amzn2.0.1
Amazon Linux 2 libcurl 7.79.1-2.amzn2.0.1
Amazon Linux 2 libcurl-devel 7.79.1-2.amzn2.0.1
Amazon Linux 2 curl-debuginfo 7.79.1-2.amzn2.0.1
Amazon Linux 2 curl 7.79.1-2.amzn2.0.1
Amazon Linux 2 curl 7.79.1-2.amzn2.0.1
Amazon Linux 2 libcurl 7.79.1-2.amzn2.0.1
Amazon Linux 2 libcurl-devel 7.79.1-2.amzn2.0.1
Amazon Linux 2 curl-debuginfo 7.79.1-2.amzn2.0.1

Related