Lucene search

[email protected]CVE-2022-32206

HistoryJul 07, 2022 - 1:15 p.m.

CVE-2022-32206

2022-07-0713:15:08

CWE-770

[email protected]

web.nvd.nist.gov

193

cve-2022-32206

curl

http compression

security vulnerability

malloc bomb

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.9 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

59.1%

JSON

curl < 7.84.0 supports “chained” HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable “links” in this “decompression chain” was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a “malloc bomb”, makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Affected configurations

NVD

Node

haxxcurlRange<7.84.0

Node

fedoraprojectfedoraMatch35

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

Node

netappclustered_data_ontapMatch-

netappelement_softwareMatch-

netapphci_management_nodeMatch-

netappsolidfireMatch-

Node

netapphci_compute_nodeMatch-

AND

netappbootstrap_osMatch-

Node

netapph300sMatch-

AND

netapph300s_firmwareMatch-

Node

netapph500sMatch-

AND

netapph500s_firmwareMatch-

Node

netapph700sMatch-

AND

netapph700s_firmwareMatch-

Node

netapph410sMatch-

AND

netapph410s_firmwareMatch-

Node

siemensscalance_sc622-2cMatch-

AND

siemensscalance_sc622-2c_firmwareRange<3.0

Node

siemensscalance_sc626-2cMatch-

AND

siemensscalance_sc626-2c_firmwareRange<3.0

Node

siemensscalance_sc632-2c_firmwareRange<3.0

AND

siemensscalance_sc632-2cMatch-

Node

siemensscalance_sc636-2c_firmwareRange<3.0

AND

siemensscalance_sc636-2cMatch-

Node

siemensscalance_sc642-2c_firmwareRange<3.0

AND

siemensscalance_sc642-2cMatch-

Node

siemensscalance_sc646-2c_firmwareRange<3.0

AND

siemensscalance_sc646-2cMatch-

Node

splunkuniversal_forwarderRange8.2.0–8.2.12

splunkuniversal_forwarderRange9.0.0–9.0.6

splunkuniversal_forwarderMatch9.1.0

CPENameOperatorVersion
haxx:curlhaxx curllt7.84.0

CPE	Name	Operator	Version
haxx:curl	haxx curl	lt	7.84.0

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "https://github.com/curl/curl",
    "versions": [
      {
        "version": "Fixed in 7.84.0",
        "status": "affected"
      }
    ]
  }
]