CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
79.3%
Issue Overview:
A vulnerability was found in curl. This security flaw allows reusing OAUTH2-authenticated connections without properly ensuring that the connection was authenticated with the same credentials set for this transfer. This issue leads to an authentication bypass, either by mistake or by a malicious actor. (CVE-2022-22576)
A vulnerability was found in curl. This security flaw allows leaking credentials to other servers when it follows redirects from auth-protected HTTP(S) URLs to other protocols and port numbers. (CVE-2022-27774)
A vulnerability was found in curl. This security flaw occurs due to errors in the logic where the config matching function did not take the IPv6 address zone id into account. This issue can lead to curl reusing the wrong connection when one transfer uses a zone id, and the subsequent transfer uses another. (CVE-2022-27775)
A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom Authorization:
or Cookie:
headers. Those headers often contain privacy-sensitive information or data. (CVE-2022-27776)
Affected Packages:
curl
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update curl to update your system.
New Packages:
aarch64:
curl-7.79.1-2.amzn2.0.1.aarch64
libcurl-7.79.1-2.amzn2.0.1.aarch64
libcurl-devel-7.79.1-2.amzn2.0.1.aarch64
curl-debuginfo-7.79.1-2.amzn2.0.1.aarch64
i686:
curl-7.79.1-2.amzn2.0.1.i686
libcurl-7.79.1-2.amzn2.0.1.i686
libcurl-devel-7.79.1-2.amzn2.0.1.i686
curl-debuginfo-7.79.1-2.amzn2.0.1.i686
src:
curl-7.79.1-2.amzn2.0.1.src
x86_64:
curl-7.79.1-2.amzn2.0.1.x86_64
libcurl-7.79.1-2.amzn2.0.1.x86_64
libcurl-devel-7.79.1-2.amzn2.0.1.x86_64
curl-debuginfo-7.79.1-2.amzn2.0.1.x86_64
Red Hat: CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776
Mitre: CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | curl | < 7.79.1-2.amzn2.0.1 | curl-7.79.1-2.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | libcurl | < 7.79.1-2.amzn2.0.1 | libcurl-7.79.1-2.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | libcurl-devel | < 7.79.1-2.amzn2.0.1 | libcurl-devel-7.79.1-2.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | curl-debuginfo | < 7.79.1-2.amzn2.0.1 | curl-debuginfo-7.79.1-2.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | i686 | curl | < 7.79.1-2.amzn2.0.1 | curl-7.79.1-2.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | i686 | libcurl | < 7.79.1-2.amzn2.0.1 | libcurl-7.79.1-2.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | i686 | libcurl-devel | < 7.79.1-2.amzn2.0.1 | libcurl-devel-7.79.1-2.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | i686 | curl-debuginfo | < 7.79.1-2.amzn2.0.1 | curl-debuginfo-7.79.1-2.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | x86_64 | curl | < 7.79.1-2.amzn2.0.1 | curl-7.79.1-2.amzn2.0.1.x86_64.rpm |
Amazon Linux | 2 | x86_64 | libcurl | < 7.79.1-2.amzn2.0.1 | libcurl-7.79.1-2.amzn2.0.1.x86_64.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
79.3%