Lucene search

K
rosalinuxROSA LABROSA-SA-2023-2220
HistoryAug 22, 2023 - 1:18 p.m.

Advisory ROSA-SA-2023-2220

2023-08-2213:18:19
ROSA LAB
abf.rosalinux.ru
16
ros2011
curl
oauth2
authentication
http redirect
tls
ssh
buffer overflow
yum update

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.003

Percentile

69.5%

Software: curl 7.61.1
OS: ROSA Virtualization 2.1

package_evr_string: curl-7.61.1-30.rv3.2c.src.rpm

CVE-ID: CVE-2022-22576
BDU-ID: 2022-03036
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the OAUTH2 protocol implementation of the cURL command line utility is related to the reuse of a connection with the same credentials. Exploitation of the vulnerability could allow an attacker acting remotely to bypass the authentication process and gain unauthorized access to protected information
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update curl command

CVE-ID: CVE-2022-27776
BDU-ID: 2022-03040
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the cURL command-line utility is associated with a leak of authentication data or cookie headers during an HTTP redirect to the same host but with a different port number. Exploitation of the vulnerability could allow an attacker acting remotely to mistakenly send the same set of headers to hosts that are identical to the first but use a different port number or URL scheme
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update curl command

CVE-ID: CVE-2022-27774
BDU-ID: 2022-03041
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the cURL command line utility is related to an application attempting to perform redirects during the authentication process. Exploitation of the vulnerability could allow an attacker acting remotely to gain unauthorized access to protected information by performing redirects to other URLs
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update curl command

CVE-ID: CVE-2022-27782
BDU-ID: 2022-03185
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the TLS and SSH protocol implementation of the cURL command line utility is related to flaws in the authentication procedure when using a previously established connection in a connection pool. Exploitation of the vulnerability could allow an attacker acting remotely to gain unauthorized access to protected information
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update curl command

CVE-ID: CVE-2022-32208
BDU-ID: 2022-06911
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the CURL server communication software tool is related to writing beyond buffer boundaries. Exploitation of the vulnerability allows an attacker acting remotely to gain access to sensitive data
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update curl command

OSVersionArchitecturePackageVersionFilename
ROSAanynoarchcurl< 7.61.1UNKNOWN

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.003

Percentile

69.5%