CVE-2022-22576

Published: May 26, 2022Modified: May 27, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

Affected (15)

Products: Haxx: Curl · Debian: Debian Linux · Brocade: Fabric Operating System · +2 more

Show all products

Haxx: Curl · Debian: Debian Linux · Brocade: Fabric Operating System · Netapp: Clustered Data Ontap, Solidfire & Hci Management Node, Solidfire & Hci Storage Node, Bootstrap Os, H300s Firmware, H500s Firmware, H700s Firmware, H410s Firmware · Splunk: Universal Forwarder

1 product

1 product

1 product

Fabric Operating System

Netapp

8 products

Clustered Data Ontap

Solidfire & Hci Management Node

Solidfire & Hci Storage Node

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Haxx Curl	From 7.33.0 to 7.83.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Brocade Fabric Operating System	All versions
Netapp Clustered Data Ontap	All versions
Netapp Solidfire & Hci Management Node	All versions
Netapp Solidfire & Hci Storage Node	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp Bootstrap Os	All versions

Running on/with	Platform Versions
Netapp Hci Compute Node	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H300s Firmware	All versions

Running on/with	Platform Versions
Netapp H300s	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H500s Firmware	All versions

Running on/with	Platform Versions
Netapp H500s	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H700s Firmware	All versions

Running on/with	Platform Versions
Netapp H700s	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H410s Firmware	All versions

Running on/with	Platform Versions
Netapp H410s	All versions

Configuration I

3 vulnerable

Vulnerable Software	Affected Versions
Splunk Universal Forwarder	From 8.2.0 to 8.2.12
Splunk Universal Forwarder	From 9.0.0 to 9.0.6
Splunk Universal Forwarder	Version 9.1.0

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-306

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (11)

https://hackerone.com/reports/1526328

Source: support@hackerone.com

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202212-01

Source: support@hackerone.com

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220609-0008/

Source: support@hackerone.com

Third Party Advisory

https://www.debian.org/security/2022/dsa-5197

Source: support@hackerone.com

Third Party Advisory

https://hackerone.com/reports/1526328