CVE-2022-32208

Description

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

Affected (17)

Products: Haxx: Curl · Fedoraproject: Fedora · Debian: Debian Linux · +3 more

Show all products

1 product

1 product

1 product

9 products

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Haxx Curl	From 7.16.4 to 7.84.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 35

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Netapp Clustered Data Ontap	All versions
Netapp Element Software	All versions
Netapp Hci Management Node	All versions
Netapp Solidfire	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp Bootstrap Os	All versions

Running on/with	Platform Versions
Netapp Hci Compute Node	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H300s Firmware	All versions

Running on/with	Platform Versions
Netapp H300s	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H500s Firmware	All versions

Running on/with	Platform Versions
Netapp H500s	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H700s Firmware	All versions

Running on/with	Platform Versions
Netapp H700s	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H410s Firmware	All versions

Running on/with	Platform Versions
Netapp H410s	All versions

Configuration J

1 vulnerable

Vulnerable Software	Affected Versions
Apple Macos	Before 13.0

Configuration K

3 vulnerable

Vulnerable Software	Affected Versions
Splunk Universal Forwarder	From 8.2.0 to 8.2.12
Splunk Universal Forwarder	From 9.0.0 to 9.0.6
Splunk Universal Forwarder	Version 9.1.0

Related CWEs

CWE-787

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

CWE-840

References (18)

http://seclists.org/fulldisclosure/2022/Oct/28

Source: support@hackerone.com

Mailing ListThird Party Advisory

http://seclists.org/fulldisclosure/2022/Oct/41

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://hackerone.com/reports/1590071

Source: support@hackerone.com

ExploitThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202212-01

Source: support@hackerone.com

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220915-0003/

Source: support@hackerone.com

Third Party Advisory

https://support.apple.com/kb/HT213488

Source: support@hackerone.com

Third Party Advisory

https://www.debian.org/security/2022/dsa-5197

Source: support@hackerone.com

Third Party Advisory

http://seclists.org/fulldisclosure/2022/Oct/28