← Back

CVE-2022-30115

nvd nist
Published: Jun 2, 2022Modified: Nov 21, 2024

JSON object

Loading...
4.3
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Exploitability: 2.8 / Impact: 1.4
Source: NVD

Description

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.

Affected (12)

Haxx
1 product
Curl
Netapp
8 products
Hci Bootstrap Os
Clustered Data Ontap
Solidfire, Enterprise Sds & Hci Storage Node
Solidfire & Hci Management Node
H300s Firmware
H500s Firmware
H700s Firmware
H410s Firmware
Splunk
1 product
Universal Forwarder
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Curl
From 7.82.0 to 7.83.1
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Hci Bootstrap Os
All versions
Running on/withPlatform Versions
Netapp
Hci Compute Node
All versions
Configuration C
3 vulnerable
Vulnerable SoftwareAffected Versions
Clustered Data Ontap
All versions
Solidfire, Enterprise Sds & Hci Storage Node
All versions
Solidfire & Hci Management Node
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
H300s Firmware
All versions
Running on/withPlatform Versions
Netapp
H300s
All versions
Configuration E
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
H500s Firmware
All versions
Running on/withPlatform Versions
Netapp
H500s
All versions
Configuration F
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
H700s Firmware
All versions
Running on/withPlatform Versions
Netapp
H700s
All versions
Configuration G
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
H410s Firmware
All versions
Running on/withPlatform Versions
Netapp
H410s
All versions
Configuration H
3 vulnerable
Vulnerable SoftwareAffected Versions
Splunk
Universal Forwarder
From 8.2.0 to 8.2.12
Universal Forwarder
From 9.0.0 to 9.0.6
Universal Forwarder
Version 9.1.0

Related CWEs

CWE-319
Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE-325
Missing Cryptographic Step
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

References (10)

Source: support@hackerone.com
Mailing ListPatchThird Party Advisory
Source: support@hackerone.com
Mailing ListThird Party Advisory
Source: support@hackerone.com
ExploitThird Party Advisory
Source: support@hackerone.com
Third Party Advisory
Source: support@hackerone.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.