cURL up to 7.86.0 CONNECT Request double free

Summaryinfo

A vulnerability was found in cURL up to 7.86.0. It has been rated as critical. This issue affects some unknown processing of the component CONNECT Request Handler. The manipulation leads to double free. This vulnerability is listed as CVE-2022-42915. The attack may be initiated remotely. There is no available exploit.

Detailsinfo

A vulnerability was found in cURL up to 7.86.0 (Network Utility Software) and classified as critical. This issue affects an unknown function of the component CONNECT Request Handler. The manipulation with an unknown input leads to a double free vulnerability. Using CWE to declare the problem leads to CWE-415. The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

The weakness was presented 10/31/2022. The advisory is shared at curl.se. The identification of this vulnerability is CVE-2022-42915 since 10/13/2022. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 11/17/2024).

The vulnerability scanner Nessus provides a plugin with the ID 211079 (Fedora 37 : curl (2022-e9d65906c4)), which helps to determine the existence of the flaw in a target environment.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at Tenable (211079). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Network Utility Software

Name

• cURL

Version

• 7.0
• 7.1
• 7.2
• 7.3
• 7.4
• 7.5
• 7.6
• 7.7
• 7.8
• 7.9
• 7.10
• 7.11
• 7.12
• 7.13
• 7.14
• 7.15
• 7.16
• 7.17
• 7.18
• 7.19
• 7.20
• 7.21
• 7.22
• 7.23
• 7.24
• 7.25
• 7.26
• 7.27
• 7.28
• 7.29
• 7.30
• 7.31
• 7.32
• 7.33
• 7.34
• 7.35
• 7.36
• 7.37
• 7.38
• 7.39
• 7.40
• 7.41
• 7.42
• 7.43
• 7.44
• 7.45
• 7.46
• 7.47
• 7.48
• 7.49
• 7.50
• 7.51
• 7.52
• 7.53
• 7.54
• 7.55
• 7.56
• 7.57
• 7.58
• 7.59
• 7.60
• 7.61
• 7.62
• 7.63
• 7.64
• 7.65
• 7.66
• 7.67
• 7.68
• 7.69
• 7.70
• 7.71
• 7.72
• 7.73
• 7.74
• 7.75
• 7.76
• 7.77
• 7.78
• 7.79
• 7.80
• 7.81
• 7.82
• 7.83
• 7.84
• 7.85
• 7.86.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion