CVE-2022-27782

Published: Jun 2, 2022Modified: May 27, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

Affected (6)

Products: Haxx: Curl · Debian: Debian Linux · Splunk: Universal Forwarder

1 product

1 product

1 product

Universal Forwarder

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Haxx Curl	Before 7.83.1

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Splunk Universal Forwarder	From 8.2.0 to 8.2.12
Splunk Universal Forwarder	From 9.0.0 to 9.0.6
Splunk Universal Forwarder	Version 9.1.0

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (13)

http://www.openwall.com/lists/oss-security/2023/03/20/6

Source: support@hackerone.com

Mailing List

https://hackerone.com/reports/1555796

Source: support@hackerone.com

ExploitThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202212-01

Source: support@hackerone.com

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220609-0009/

Source: support@hackerone.com

Third Party Advisory

https://www.debian.org/security/2022/dsa-5197

Source: support@hackerone.com

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/03/20/6

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://hackerone.com/reports/1555796

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202212-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220609-0009/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2022/dsa-5197

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://hackerone.com/reports/1555796

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.