github - ghsa-7xmh-mw7w-rr97

ghsa-7xmh-mw7w-rr97

Vulnerability from github

Published

2022-06-03 00:01

Modified

2024-03-27 15:30

Severity

5.7 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Details

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.",
  "id": "GHSA-7xmh-mw7w-rr97",
  "modified": "2024-03-27T15:30:35Z",
  "published": "2022-06-03T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27774"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1543773"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202212-01"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220609-0008"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5197"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2022-27774

Vulnerability from cvelistv5

Published

2022-06-01 00:00

Modified

2024-08-03 05:32

Severity

Summary

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

References

URL	Tags
https://hackerone.com/reports/1543773
https://security.netapp.com/advisory/ntap-20220609-0008/
https://www.debian.org/security/2022/dsa-5197	vendor-advisory
https://security.gentoo.org/glsa/202212-01	vendor-advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html	mailing-list

Impacted products

Vendor	Product
n/a	https://github.com/curl/curl

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:32:59.946Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1543773"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220609-0008/"
          },
          {
            "name": "DSA-5197",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5197"
          },
          {
            "name": "GLSA-202212-01",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202212-01"
          },
          {
            "name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3288-1] curl security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/curl/curl",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "curl 4.9 to and include curl 7.82.0 are affected"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "Insufficiently Protected Credentials (CWE-522)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-28T00:00:00",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/1543773"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220609-0008/"
        },
        {
          "name": "DSA-5197",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5197"
        },
        {
          "name": "GLSA-202212-01",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202212-01"
        },
        {
          "name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3288-1] curl security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2022-27774",
    "datePublished": "2022-06-01T00:00:00",
    "dateReserved": "2022-03-23T00:00:00",
    "dateUpdated": "2024-08-03T05:32:59.946Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.