Lucene search

K
ubuntucveUbuntu.comUB:CVE-2022-27779
HistoryMay 11, 2022 - 12:00 a.m.

CVE-2022-27779

2022-05-1100:00:00
ubuntu.com
ubuntu.com
12

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

32.5%

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if
thehost name is provided with a trailing dot.curl can be told to receive
and send cookies. curl’s “cookie engine” can bebuilt with or without
Public Suffix Listawareness. If PSL support
not provided, a more rudimentary check exists to atleast prevent cookies
from being set on TLDs. This check was broken if thehost name in the URL
uses a trailing dot.This can allow arbitrary sites to set cookies that then
would get sent to adifferent and unrelated site or domain.

Notes

Author Note
alexmurray Only affects curl versions between 7.82.0 and 7.83.0 and only when curl is built without libpsl

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

32.5%