cURL up to 7.83.x HTTP Response allocation of resources

Summaryinfo

A vulnerability marked as problematic has been reported in cURL up to 7.83.x. This issue affects some unknown processing of the component HTTP Response Handler. Performing a manipulation results in allocation of resources. This vulnerability is identified as CVE-2022-32205. The attack can be initiated remotely. Additionally, an exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in cURL up to 7.83.x (Network Utility Software). It has been classified as problematic. This affects an unknown code of the component HTTP Response Handler. The manipulation with an unknown input leads to a allocation of resources vulnerability. CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. This is going to have an impact on availability. The summary by CVE is:

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

The weakness was released 07/07/2022. The advisory is shared at hackerone.com. This vulnerability is uniquely identified as CVE-2022-32205 since 06/01/2022. It demands that the victim is doing some kind of user interaction. Technical details are unknown but a public exploit is available. MITRE ATT&CK project uses the attack technique T1499 for this issue.

The exploit is shared for download at hackerone.com. It is declared as proof-of-concept.

Upgrading to version 7.84.0 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Network Utility Software

Name

• cURL

Version

• 7.0
• 7.1
• 7.2
• 7.3
• 7.4
• 7.5
• 7.6
• 7.7
• 7.8
• 7.9
• 7.10
• 7.11
• 7.12
• 7.13
• 7.14
• 7.15
• 7.16
• 7.17
• 7.18
• 7.19
• 7.20
• 7.21
• 7.22
• 7.23
• 7.24
• 7.25
• 7.26
• 7.27
• 7.28
• 7.29
• 7.30
• 7.31
• 7.32
• 7.33
• 7.34
• 7.35
• 7.36
• 7.37
• 7.38
• 7.39
• 7.40
• 7.41
• 7.42
• 7.43
• 7.44
• 7.45
• 7.46
• 7.47
• 7.48
• 7.49
• 7.50
• 7.51
• 7.52
• 7.53
• 7.54
• 7.55
• 7.56
• 7.57
• 7.58
• 7.59
• 7.60
• 7.61
• 7.62
• 7.63
• 7.64
• 7.65
• 7.66
• 7.67
• 7.68
• 7.69
• 7.70
• 7.71
• 7.72
• 7.73
• 7.74
• 7.75
• 7.76
• 7.77
• 7.78
• 7.79
• 7.80
• 7.81
• 7.82
• 7.83

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion