CVE-2022-42915

2022-10-2920:15:00

Debian Security Bug Tracker

security-tracker.debian.org

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

77.0%

JSON

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

OSVersionArchitecturePackageVersionFilename
Debian12allcurl< 7.86.0-1curl_7.86.0-1_all.deb
Debian11allcurl< 7.74.0-1.3+deb11u11curl_7.74.0-1.3+deb11u11_all.deb
Debian10allcurl< 7.64.0-4+deb10u2curl_7.64.0-4+deb10u2_all.deb
Debian999allcurl< 7.86.0-1curl_7.86.0-1_all.deb
Debian13allcurl< 7.86.0-1curl_7.86.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	curl	< 7.86.0-1	curl_7.86.0-1_all.deb
Debian	11	all	curl	< 7.74.0-1.3+deb11u11	curl_7.74.0-1.3+deb11u11_all.deb
Debian	10	all	curl	< 7.64.0-4+deb10u2	curl_7.64.0-4+deb10u2_all.deb
Debian	999	all	curl	< 7.86.0-1	curl_7.86.0-1_all.deb
Debian	13	all	curl	< 7.86.0-1	curl_7.86.0-1_all.deb