CVE-2022-35260

2022-12-0522:15:10

Google

osv.dev

cve-2022-35260

denial of service

buffer overflow

netrc file

stack-based buffer

security flaw

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

52.1%

JSON

curl can be told to parse a .netrc file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

CPENameOperatorVersion
curleq7.81.0-r0
curleq7.71.0-r1
curleq7.32.0-r0
curleq7.34.0-r1
curleq7.21.4-r1
curleq7.44.0-r0
curleq7.19.2-r1
curleq7.46.0-r1
curleq7.69.1-r0
curleq7.63.0-r0

Name	Operator	Version
curl	eq	7.81.0-r0
curl	eq	7.71.0-r1
curl	eq	7.32.0-r0
curl	eq	7.34.0-r1
curl	eq	7.21.4-r1
curl	eq	7.44.0-r0
curl	eq	7.19.2-r1
curl	eq	7.46.0-r1
curl	eq	7.69.1-r0
curl	eq	7.63.0-r0