CVE-2022-27779

2022-06-0214:15:44

Google

osv.dev

0.001 Low

EPSS

Percentile

34.4%

JSON

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl’s “cookie engine” can bebuilt with or without Public Suffix Listawareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.

CPENameOperatorVersion
curleq7.19.4-r0
curleq7.42.1-r0
curleq7.52.0-r0
curleq7.44.0-r0
curleq7.77.0-r1
curleq7.46.0-r2
curleq7.69.1-r0
curleq7.39.0-r0
curleq7.75.0-r0
curleq7.46.0-r0

Name	Operator	Version
curl	eq	7.19.4-r0
curl	eq	7.42.1-r0
curl	eq	7.52.0-r0
curl	eq	7.44.0-r0
curl	eq	7.77.0-r1
curl	eq	7.46.0-r2
curl	eq	7.69.1-r0
curl	eq	7.39.0-r0
curl	eq	7.75.0-r0
curl	eq	7.46.0-r0