7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
40.7%
I found an issue similar to CVE-2022-42916 again.
Since the phenomenon is the same, I will describe the same as last time.
HSTS checks are bypassed if any character in the IDN convert(Nameprep) to a โ.โ
for example"ใ"(UTF-8:E38082).
I think there are other characters that become โ.(UTF-8:2E)โ as a result of converting with IDN.
This is because the host name before IDN conversion is used when writing to the HSTS cache.
[add details for how we can reproduce the issue]
curl -v --hsts hsts.txt https://accounts.google%E3%80%82com
curl -v --hsts hsts.txt http://accounts.google%E3%80%82com
Result of 3.
C:\test\curl-7.86.0-win64-mingw\bin>curl -v --hsts hsts.txt http://accounts.google%E3%80%82com --head
* Trying 142.250.206.237:80...
* Connected to accounts.google็ธฒ๏ผคom (142.250.206.237) port 80 (#0)
> HEAD / HTTP/1.1
> Host: accounts.google.com
> User-Agent: curl/7.86.0
> Accept: */*
>
If you execute 3. after executing the below, you will access the site with HTTPS.
curl -v --hsts hsts.txt https://accounts.google.com
I use this in a Windows environment.
I checked the HSTS cache after executing 2. and found the host name before IDN conversion.
# Your HSTS cache. https://curl.se/docs/hsts.html
# This file was generated by libcurl! Edit at your own risk.
.accounts.googleใcom "20231029 15:57:29"
I think the problem is in http.c:line 3727.
data->state.up.hostname is the hostname of the IDN unconverted.
CURLcode check =
Curl_hsts_parse(data->hsts, data->state.up.hostname,
headp + strlen("Strict-Transport-Security:"));
HSTS bypass.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
40.7%