Lucene search

K
debiancveDebian Security Bug TrackerDEBIANCVE:CVE-2022-32207
HistoryJul 07, 2022 - 1:15 p.m.

CVE-2022-32207

2022-07-0713:15:08
Debian Security Bug Tracker
security-tracker.debian.org
33
cve-2022-32207
unix
permission widening

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.7%

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.

OSVersionArchitecturePackageVersionFilename
Debian12allcurl<ย 7.84.0-1curl_7.84.0-1_all.deb
Debian11allcurl<ย 7.74.0-1.3+deb11u2curl_7.74.0-1.3+deb11u2_all.deb
Debian999allcurl<ย 7.84.0-1curl_7.84.0-1_all.deb
Debian13allcurl<ย 7.84.0-1curl_7.84.0-1_all.deb

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.7%