Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-35252 (GCVE-0-2022-35252)
Vulnerability from cvelistv5 – Published: 2022-09-23 00:00 – Updated: 2025-05-05 16:14
VLAI
EPSS
Summary
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
Severity
CWE
- CWE-20 - Improper Input Validation (CWE-20)
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | https://github.com/curl/curl |
Affected:
Fixed in curl 7.85.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.455Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/1613943"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220930-0005/"
},
{
"name": "GLSA-202212-01",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202212-01"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213603"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213604"
},
{
"name": "20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Jan/20"
},
{
"name": "20230123 APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Jan/21"
},
{
"name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3288-1] curl security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-35252",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:30:42.952225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:14:44.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/curl/curl",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in curl 7.85.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-28T00:00:00.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/1613943"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220930-0005/"
},
{
"name": "GLSA-202212-01",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202212-01"
},
{
"url": "https://support.apple.com/kb/HT213603"
},
{
"url": "https://support.apple.com/kb/HT213604"
},
{
"name": "20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2023/Jan/20"
},
{
"name": "20230123 APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2023/Jan/21"
},
{
"name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3288-1] curl security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2022-35252",
"datePublished": "2022-09-23T00:00:00.000Z",
"dateReserved": "2022-07-06T00:00:00.000Z",
"dateUpdated": "2025-05-05T16:14:44.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-35252",
"date": "2026-05-27",
"epss": "0.00289",
"percentile": "0.5239"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-35252\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2022-09-23T14:15:12.323\",\"lastModified\":\"2025-05-05T17:18:16.463\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\\\"sister site\\\" to deny service to all siblings.\"},{\"lang\":\"es\",\"value\":\"Cuando curl es usado para recuperar y analizar las cookies de un servidor HTTP(S), acepta las cookies usando c\u00f3digos de control que cuando son enviados de vuelta a un servidor HTTP podr\u00edan hacer que el servidor devolviera respuestas 400. En efecto, permite que un \\\"sitio hermano\\\" deniegue el servicio a todos los hermanos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.85.0\",\"matchCriteriaId\":\"B7B9B38C-6728-408E-93C9-98C042DA9DD3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FE996B1-6951-4F85-AA58-B99A379D2163\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"85DF4B3F-4BBC-42B7-B729-096934523D63\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3C19813-E823-456A-B1CE-EC0684CE1953\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"95BA156C-C977-4F0C-8DFB-3FAE9CC8C02D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD7447BC-F315-4298-A822-549942FC118B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6770B6C3-732E-4E22-BF1C-2D2FD610061C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F9C8C20-42EB-4AB5-BD97-212DEB070C43\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7FFF7106-ED78-49BA-9EC5-B889E3685D53\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E63D8B0F-006E-4801-BF9D-1C001BBFB4F9\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56409CEC-5A1E-4450-AA42-641E459CC2AF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B06F4839-D16A-4A61-9BB5-55B13F41E47F\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0B4AD8A-F172-4558-AEC6-FF424BA2D912\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8497A4C9-8474-4A62-8331-3FE862ED4098\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0\",\"versionEndExcluding\":\"11.7.3\",\"matchCriteriaId\":\"4D13504E-ABCF-4E6F-8984-EADB123DFDD2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.6.3\",\"matchCriteriaId\":\"C71359B9-7DCE-4F45-B03F-77CF313A74EA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndExcluding\":\"8.2.12\",\"matchCriteriaId\":\"5722E753-75DE-4944-A11B-556CB299B57D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.0.6\",\"matchCriteriaId\":\"DC0F9351-81A4-4FEA-B6B5-6E960A933D32\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EED24E67-2957-4C1B-8FEA-E2D2FE7B97FC\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2023/Jan/20\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2023/Jan/21\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1613943\",\"source\":\"support@hackerone.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202212-01\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20220930-0005/\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT213603\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT213604\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2023/Jan/20\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2023/Jan/21\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1613943\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202212-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20220930-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT213603\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT213604\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2023-01-28T00:00:00.000Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\\\"sister site\\\" to deny service to all siblings.\"}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"https://github.com/curl/curl\", \"versions\": [{\"version\": \"Fixed in curl 7.85.0\", \"status\": \"affected\"}]}], \"references\": [{\"url\": \"https://hackerone.com/reports/1613943\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20220930-0005/\"}, {\"name\": \"GLSA-202212-01\", \"tags\": [\"vendor-advisory\"], \"url\": \"https://security.gentoo.org/glsa/202212-01\"}, {\"url\": \"https://support.apple.com/kb/HT213603\"}, {\"url\": \"https://support.apple.com/kb/HT213604\"}, {\"name\": \"20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3\", \"tags\": [\"mailing-list\"], \"url\": \"http://seclists.org/fulldisclosure/2023/Jan/20\"}, {\"name\": \"20230123 APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3\", \"tags\": [\"mailing-list\"], \"url\": \"http://seclists.org/fulldisclosure/2023/Jan/21\"}, {\"name\": \"[debian-lts-announce] 20230128 [SECURITY] [DLA 3288-1] curl security update\", \"tags\": [\"mailing-list\"], \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html\"}], \"problemTypes\": [{\"descriptions\": [{\"type\": \"CWE\", \"lang\": \"en\", \"description\": \"Improper Input Validation (CWE-20)\", \"cweId\": \"CWE-20\"}]}]}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T09:29:17.455Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://hackerone.com/reports/1613943\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20220930-0005/\", \"tags\": [\"x_transferred\"]}, {\"name\": \"GLSA-202212-01\", \"tags\": [\"vendor-advisory\", \"x_transferred\"], \"url\": \"https://security.gentoo.org/glsa/202212-01\"}, {\"url\": \"https://support.apple.com/kb/HT213603\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://support.apple.com/kb/HT213604\", \"tags\": [\"x_transferred\"]}, {\"name\": \"20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3\", \"tags\": [\"mailing-list\", \"x_transferred\"], \"url\": \"http://seclists.org/fulldisclosure/2023/Jan/20\"}, {\"name\": \"20230123 APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3\", \"tags\": [\"mailing-list\", \"x_transferred\"], \"url\": \"http://seclists.org/fulldisclosure/2023/Jan/21\"}, {\"name\": \"[debian-lts-announce] 20230128 [SECURITY] [DLA 3288-1] curl security update\", \"tags\": [\"mailing-list\", \"x_transferred\"], \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-35252\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:30:42.952225Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-05T13:08:11.726Z\"}}]}",
"cveMetadata": "{\"state\": \"PUBLISHED\", \"cveId\": \"CVE-2022-35252\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"assignerShortName\": \"hackerone\", \"dateUpdated\": \"2025-05-05T16:14:44.468Z\", \"dateReserved\": \"2022-07-06T00:00:00.000Z\", \"datePublished\": \"2022-09-23T00:00:00.000Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
SSA-558014
Vulnerability from csaf_siemens - Published: 2023-04-11 00:00 - Updated: 2023-04-11 00:00Summary
SSA-558014: Third-Party Component Vulnerabilities in SCALANCE XCM332 before V2.2
Notes
Summary: Multiple vulnerabilities in the third-party components cURL, BusyBox, libtirpc, Expat as well as in the Linux Kernel could allow an attacker to impact the SCALANCE XCM332 device's confidentiality, integrity and availability.
Siemens has released an update for the SCALANCE XCM332 and recommends to update to the latest version.
General Recommendations: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use: Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
CWE-362
- Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SCALANCE XCM332 (6GK5332-0GA01-2AC2)
Siemens / SCALANCE XCM332 (6GK5332-0GA01-2AC2)
|
6GK5332-0GA01-2AC2
|
vers:all/<V2.2 |
Vendor Fix
fix
|
References
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Multiple vulnerabilities in the third-party components cURL, BusyBox, libtirpc, Expat as well as in the Linux Kernel could allow an attacker to impact the SCALANCE XCM332 device\u0027s confidentiality, integrity and availability.\n\nSiemens has released an update for the SCALANCE XCM332 and recommends to update to the latest version.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-558014: Third-Party Component Vulnerabilities in SCALANCE XCM332 before V2.2 - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-558014.html"
},
{
"category": "self",
"summary": "SSA-558014: Third-Party Component Vulnerabilities in SCALANCE XCM332 before V2.2 - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-558014.json"
},
{
"category": "self",
"summary": "SSA-558014: Third-Party Component Vulnerabilities in SCALANCE XCM332 before V2.2 - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-558014.pdf"
},
{
"category": "self",
"summary": "SSA-558014: Third-Party Component Vulnerabilities in SCALANCE XCM332 before V2.2 - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-558014.txt"
}
],
"title": "SSA-558014: Third-Party Component Vulnerabilities in SCALANCE XCM332 before V2.2",
"tracking": {
"current_release_date": "2023-04-11T00:00:00Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-558014",
"initial_release_date": "2023-04-11T00:00:00Z",
"revision_history": [
{
"date": "2023-04-11T00:00:00Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "interim",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/\u003cV2.2",
"product": {
"name": "SCALANCE XCM332 (6GK5332-0GA01-2AC2)",
"product_id": "1",
"product_identification_helper": {
"model_numbers": [
"6GK5332-0GA01-2AC2"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XCM332 (6GK5332-0GA01-2AC2)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-46828",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "summary",
"text": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-46828"
},
{
"cve": "CVE-2022-1652",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-1652"
},
{
"cve": "CVE-2022-1729",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "summary",
"text": "A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-1729"
},
{
"cve": "CVE-2022-30065",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in Busybox 1.35-x\u0027s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-30065"
},
{
"cve": "CVE-2022-32205",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "summary",
"text": "A malicious server can serve excessive amounts of \"Set-Cookie:\" headers in a HTTP response to curl and curl \u003c 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven\u0027t expired. Due to cookie matching rules, a server on \"foo.example.com\" can set cookies that also would match for \"bar.example.com\", making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32205"
},
{
"cve": "CVE-2022-32206",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "summary",
"text": "curl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32206"
},
{
"cve": "CVE-2022-32207",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"notes": [
{
"category": "summary",
"text": "When curl \u003c 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32207"
},
{
"cve": "CVE-2022-32208",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "When curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32208"
},
{
"cve": "CVE-2022-35252",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"notes": [
{
"category": "summary",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-35252"
},
{
"cve": "CVE-2022-40674",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V2.2 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109817513/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-40674"
}
]
}
SSA-892048
Vulnerability from csaf_siemens - Published: 2023-05-09 00:00 - Updated: 2023-05-09 00:00Summary
SSA-892048: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1
Notes
Summary: Multiple vulnerabilities affecting third-party components libexpat and libcurl of SINEC NMS before V1.0.3.1 could allow an attacker to impact SINEC NMS confidentiality, integrity and availability.
Siemens has released an update for SINEC NMS and recommends to update to the latest version.
General Recommendations: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use: Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
References
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Multiple vulnerabilities affecting third-party components libexpat and libcurl of SINEC NMS before V1.0.3.1 could allow an attacker to impact SINEC NMS confidentiality, integrity and availability.\n\nSiemens has released an update for SINEC NMS and recommends to update to the latest version.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-892048: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-892048.html"
},
{
"category": "self",
"summary": "SSA-892048: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-892048.json"
},
{
"category": "self",
"summary": "SSA-892048: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-892048.pdf"
},
{
"category": "self",
"summary": "SSA-892048: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-892048.txt"
}
],
"title": "SSA-892048: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1",
"tracking": {
"current_release_date": "2023-05-09T00:00:00Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-892048",
"initial_release_date": "2023-05-09T00:00:00Z",
"revision_history": [
{
"date": "2023-05-09T00:00:00Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/\u003cV1.0.3.1",
"product": {
"name": "SINEC NMS",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "SINEC NMS"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-32221",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"notes": [
{
"category": "summary",
"text": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32221"
},
{
"cve": "CVE-2022-35252",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"notes": [
{
"category": "summary",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-35252"
},
{
"cve": "CVE-2022-35260",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-35260"
},
{
"cve": "CVE-2022-40674",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-40674"
},
{
"cve": "CVE-2022-42915",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"notes": [
{
"category": "summary",
"text": "curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-42915"
},
{
"cve": "CVE-2022-42916",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "summary",
"text": "In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-42916"
},
{
"cve": "CVE-2022-43551",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability exists in curl \u003c7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-43551"
},
{
"cve": "CVE-2022-43552",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-43552"
},
{
"cve": "CVE-2022-43680",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V1.0.3.1 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109818269/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-43680"
}
]
}
SSA-942865
Vulnerability from csaf_siemens - Published: 2023-06-13 00:00 - Updated: 2023-06-14 00:00Summary
SSA-942865: Multiple Vulnerabilities in the Integrated SCALANCE S615 of SINAMICS Medium Voltage Products
Notes
Summary: SINAMICS PERFECT HARMONY GH180 is affected by multiple vulnerabilities in the integrated SCALANCE S615 device, as documented in SSA-419740 (
https://cert-portal.siemens.com/productcert/html/ssa-419740.html).
Siemens recommends to update the firmware of the integrated SCALANCE S615 device to the latest version. Siemens recommends specific countermeasures for products where the firmware update is not, or not yet applied.
Additional considerations regarding the specific impact of the vulnerabilities to SINAMICS MV products can be found in the chapter "Additional Information".
General Recommendations: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use: Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
CWE-787
- Out-of-bounds Write
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-125
- Out-of-bounds Read
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
9.8 (Critical)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
9.8 (Critical)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-295
- Improper Certificate Validation
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-404
- Improper Resource Shutdown or Release
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-416
- Use After Free
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-770
- Allocation of Resources Without Limits or Throttling
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-770
- Allocation of Resources Without Limits or Throttling
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
9.8 (Critical)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-787
- Out-of-bounds Write
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-1286
- Improper Validation of Syntactic Correctness of Input
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
CWE-20
- Improper Input Validation
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SINAMICS PERFECT HARMONY GH180 6SR5
Siemens / SINAMICS PERFECT HARMONY GH180 6SR5
|
vers:all/* |
Mitigation
Mitigation
Vendor Fix
|
References
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "SINAMICS PERFECT HARMONY GH180 is affected by multiple vulnerabilities in the integrated SCALANCE S615 device, as documented in SSA-419740 (\nhttps://cert-portal.siemens.com/productcert/html/ssa-419740.html).\nSiemens recommends to update the firmware of the integrated SCALANCE S615 device to the latest version. Siemens recommends specific countermeasures for products where the firmware update is not, or not yet applied.\n\nAdditional considerations regarding the specific impact of the vulnerabilities to SINAMICS MV products can be found in the chapter \"Additional Information\".",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-942865: Multiple Vulnerabilities in the Integrated SCALANCE S615 of SINAMICS Medium Voltage Products - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-942865.html"
},
{
"category": "self",
"summary": "SSA-942865: Multiple Vulnerabilities in the Integrated SCALANCE S615 of SINAMICS Medium Voltage Products - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-942865.json"
},
{
"category": "self",
"summary": "SSA-942865: Multiple Vulnerabilities in the Integrated SCALANCE S615 of SINAMICS Medium Voltage Products - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-942865.pdf"
},
{
"category": "self",
"summary": "SSA-942865: Multiple Vulnerabilities in the Integrated SCALANCE S615 of SINAMICS Medium Voltage Products - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-942865.txt"
}
],
"title": "SSA-942865: Multiple Vulnerabilities in the Integrated SCALANCE S615 of SINAMICS Medium Voltage Products",
"tracking": {
"current_release_date": "2023-06-14T00:00:00Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-942865",
"initial_release_date": "2023-06-13T00:00:00Z",
"revision_history": [
{
"date": "2023-06-13T00:00:00Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
},
{
"date": "2023-06-14T00:00:00Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Removed not affected products SINAMICS GL150 and SINAMICS SL150"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SINAMICS PERFECT HARMONY GH180 6SR5",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "SINAMICS PERFECT HARMONY GH180 6SR5"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-25032",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2018-25032"
},
{
"cve": "CVE-2021-42374",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "An out-of-bounds heap read in Busybox\u0027s unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42374"
},
{
"cve": "CVE-2021-42378",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in Busybox\u0027s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42378"
},
{
"cve": "CVE-2021-42379",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in Busybox\u0027s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42379"
},
{
"cve": "CVE-2021-42380",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42380"
},
{
"cve": "CVE-2021-42381",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42381"
},
{
"cve": "CVE-2021-42382",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42382"
},
{
"cve": "CVE-2021-42383",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42383"
},
{
"cve": "CVE-2021-42384",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in Busybox\u0027s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42384"
},
{
"cve": "CVE-2021-42385",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42385"
},
{
"cve": "CVE-2021-42386",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-42386"
},
{
"cve": "CVE-2022-0547",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-0547"
},
{
"cve": "CVE-2022-1199",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-1199"
},
{
"cve": "CVE-2022-1292",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-1292"
},
{
"cve": "CVE-2022-1343",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"notes": [
{
"category": "summary",
"text": "Under certain circumstances, the command line OCSP verify function reports successful verification when the verification in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-1343"
},
{
"cve": "CVE-2022-1473",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "summary",
"text": "The used OpenSSL version improperly reuses memory when decoding certificates or keys. This can lead to a process termination and Denial of Service for long lived processes.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-1473"
},
{
"cve": "CVE-2022-23308",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-23308"
},
{
"cve": "CVE-2022-32205",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "summary",
"text": "A malicious server can serve excessive amounts of \"Set-Cookie:\" headers in a HTTP response to curl and curl \u003c 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven\u0027t expired. Due to cookie matching rules, a server on \"foo.example.com\" can set cookies that also would match for \"bar.example.com\", making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32205"
},
{
"cve": "CVE-2022-32206",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "summary",
"text": "curl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32206"
},
{
"cve": "CVE-2022-32207",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"notes": [
{
"category": "summary",
"text": "When curl \u003c 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32207"
},
{
"cve": "CVE-2022-32208",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "When curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-32208"
},
{
"cve": "CVE-2022-35252",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"notes": [
{
"category": "summary",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-35252"
},
{
"cve": "CVE-2022-36946",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb-\u003elen.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Restrict physical access to the affected drives, also to their Ethernet Port included on the front of the control door",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "Disconnect any direct network connection to the integrated SCALANCE S615 device",
"product_ids": [
"1"
]
},
{
"category": "vendor_fix",
"details": "Update the firmware of the integrated SCALANCE S615 device to V7.2 or later version",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-36946"
}
]
}
SUSE-SU-2022:3003-1
Vulnerability from csaf_suse - Published: 2022-09-02 13:01 - Updated: 2022-09-02 13:01Summary
Security update for curl
Severity
Low
Notes
Title of the patch: Security update for curl
Description of the patch: This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters
into cookies, which could be exploited by sister sites to cause a
denial of service (bsc#1202593).
Patchnames: SUSE-2022-3003,SUSE-SLE-Module-Basesystem-15-SP4-2022-3003,openSUSE-SLE-15.4-2022-3003
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
27 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for curl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for curl fixes the following issues:\n\n- CVE-2022-35252: Fixed a potential injection of control characters\n into cookies, which could be exploited by sister sites to cause a\n denial of service (bsc#1202593).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-3003,SUSE-SLE-Module-Basesystem-15-SP4-2022-3003,openSUSE-SLE-15.4-2022-3003",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3003-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:3003-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20223003-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:3003-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012069.html"
},
{
"category": "self",
"summary": "SUSE Bug 1202593",
"url": "https://bugzilla.suse.com/1202593"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35252 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35252/"
}
],
"title": "Security update for curl",
"tracking": {
"current_release_date": "2022-09-02T13:01:50Z",
"generator": {
"date": "2022-09-02T13:01:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:3003-1",
"initial_release_date": "2022-09-02T13:01:50Z",
"revision_history": [
{
"date": "2022-09-02T13:01:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "curl-7.79.1-150400.5.6.1.aarch64",
"product": {
"name": "curl-7.79.1-150400.5.6.1.aarch64",
"product_id": "curl-7.79.1-150400.5.6.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"product": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"product_id": "libcurl-devel-7.79.1-150400.5.6.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.79.1-150400.5.6.1.aarch64",
"product": {
"name": "libcurl4-7.79.1-150400.5.6.1.aarch64",
"product_id": "libcurl4-7.79.1-150400.5.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libcurl-devel-64bit-7.79.1-150400.5.6.1.aarch64_ilp32",
"product": {
"name": "libcurl-devel-64bit-7.79.1-150400.5.6.1.aarch64_ilp32",
"product_id": "libcurl-devel-64bit-7.79.1-150400.5.6.1.aarch64_ilp32"
}
},
{
"category": "product_version",
"name": "libcurl4-64bit-7.79.1-150400.5.6.1.aarch64_ilp32",
"product": {
"name": "libcurl4-64bit-7.79.1-150400.5.6.1.aarch64_ilp32",
"product_id": "libcurl4-64bit-7.79.1-150400.5.6.1.aarch64_ilp32"
}
}
],
"category": "architecture",
"name": "aarch64_ilp32"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.79.1-150400.5.6.1.i586",
"product": {
"name": "curl-7.79.1-150400.5.6.1.i586",
"product_id": "curl-7.79.1-150400.5.6.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.79.1-150400.5.6.1.i586",
"product": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.i586",
"product_id": "libcurl-devel-7.79.1-150400.5.6.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-7.79.1-150400.5.6.1.i586",
"product": {
"name": "libcurl4-7.79.1-150400.5.6.1.i586",
"product_id": "libcurl4-7.79.1-150400.5.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.79.1-150400.5.6.1.ppc64le",
"product": {
"name": "curl-7.79.1-150400.5.6.1.ppc64le",
"product_id": "curl-7.79.1-150400.5.6.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"product": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"product_id": "libcurl-devel-7.79.1-150400.5.6.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-7.79.1-150400.5.6.1.ppc64le",
"product": {
"name": "libcurl4-7.79.1-150400.5.6.1.ppc64le",
"product_id": "libcurl4-7.79.1-150400.5.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.79.1-150400.5.6.1.s390x",
"product": {
"name": "curl-7.79.1-150400.5.6.1.s390x",
"product_id": "curl-7.79.1-150400.5.6.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.79.1-150400.5.6.1.s390x",
"product": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.s390x",
"product_id": "libcurl-devel-7.79.1-150400.5.6.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-7.79.1-150400.5.6.1.s390x",
"product": {
"name": "libcurl4-7.79.1-150400.5.6.1.s390x",
"product_id": "libcurl4-7.79.1-150400.5.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.79.1-150400.5.6.1.x86_64",
"product": {
"name": "curl-7.79.1-150400.5.6.1.x86_64",
"product_id": "curl-7.79.1-150400.5.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"product": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"product_id": "libcurl-devel-7.79.1-150400.5.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64",
"product": {
"name": "libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64",
"product_id": "libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.79.1-150400.5.6.1.x86_64",
"product": {
"name": "libcurl4-7.79.1-150400.5.6.1.x86_64",
"product_id": "libcurl4-7.79.1-150400.5.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"product": {
"name": "libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"product_id": "libcurl4-32bit-7.79.1-150400.5.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp4"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.79.1-150400.5.6.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.aarch64"
},
"product_reference": "curl-7.79.1-150400.5.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.79.1-150400.5.6.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.ppc64le"
},
"product_reference": "curl-7.79.1-150400.5.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.79.1-150400.5.6.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.s390x"
},
"product_reference": "curl-7.79.1-150400.5.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.79.1-150400.5.6.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "curl-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.aarch64"
},
"product_reference": "libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le"
},
"product_reference": "libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.s390x"
},
"product_reference": "libcurl-devel-7.79.1-150400.5.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.79.1-150400.5.6.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.aarch64"
},
"product_reference": "libcurl4-7.79.1-150400.5.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.79.1-150400.5.6.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.ppc64le"
},
"product_reference": "libcurl4-7.79.1-150400.5.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.79.1-150400.5.6.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.s390x"
},
"product_reference": "libcurl4-7.79.1-150400.5.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.79.1-150400.5.6.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "libcurl4-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.79.1-150400.5.6.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.79.1-150400.5.6.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.aarch64"
},
"product_reference": "curl-7.79.1-150400.5.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.79.1-150400.5.6.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.ppc64le"
},
"product_reference": "curl-7.79.1-150400.5.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.79.1-150400.5.6.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.s390x"
},
"product_reference": "curl-7.79.1-150400.5.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.79.1-150400.5.6.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "curl-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.aarch64"
},
"product_reference": "libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le"
},
"product_reference": "libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.s390x"
},
"product_reference": "libcurl-devel-7.79.1-150400.5.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.79.1-150400.5.6.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.79.1-150400.5.6.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.aarch64"
},
"product_reference": "libcurl4-7.79.1-150400.5.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.79.1-150400.5.6.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.ppc64le"
},
"product_reference": "libcurl4-7.79.1-150400.5.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.79.1-150400.5.6.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.s390x"
},
"product_reference": "libcurl4-7.79.1-150400.5.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.79.1-150400.5.6.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "libcurl4-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.79.1-150400.5.6.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-35252",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35252"
}
],
"notes": [
{
"category": "general",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35252",
"url": "https://www.suse.com/security/cve/CVE-2022-35252"
},
{
"category": "external",
"summary": "SUSE Bug 1202593 for CVE-2022-35252",
"url": "https://bugzilla.suse.com/1202593"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:curl-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP4:libcurl4-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:curl-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl-devel-32bit-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:libcurl-devel-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl4-32bit-7.79.1-150400.5.6.1.x86_64",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.aarch64",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.ppc64le",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.s390x",
"openSUSE Leap 15.4:libcurl4-7.79.1-150400.5.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-02T13:01:50Z",
"details": "moderate"
}
],
"title": "CVE-2022-35252"
}
]
}
SUSE-SU-2022:3004-1
Vulnerability from csaf_suse - Published: 2022-09-02 13:02 - Updated: 2022-09-02 13:02Summary
Security update for curl
Severity
Low
Notes
Title of the patch: Security update for curl
Description of the patch: This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters
into cookies, which could be exploited by sister sites to cause a
denial of service (bsc#1202593).
Patchnames: SUSE-2022-3004,SUSE-SLE-Module-Basesystem-15-SP3-2022-3004,SUSE-SUSE-MicroOS-5.1-2022-3004,SUSE-SUSE-MicroOS-5.2-2022-3004,openSUSE-Leap-Micro-5.2-2022-3004,openSUSE-SLE-15.3-2022-3004
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
43 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for curl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for curl fixes the following issues:\n\n- CVE-2022-35252: Fixed a potential injection of control characters\n into cookies, which could be exploited by sister sites to cause a\n denial of service (bsc#1202593).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-3004,SUSE-SLE-Module-Basesystem-15-SP3-2022-3004,SUSE-SUSE-MicroOS-5.1-2022-3004,SUSE-SUSE-MicroOS-5.2-2022-3004,openSUSE-Leap-Micro-5.2-2022-3004,openSUSE-SLE-15.3-2022-3004",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3004-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:3004-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20223004-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:3004-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012067.html"
},
{
"category": "self",
"summary": "SUSE Bug 1202593",
"url": "https://bugzilla.suse.com/1202593"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35252 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35252/"
}
],
"title": "Security update for curl",
"tracking": {
"current_release_date": "2022-09-02T13:02:21Z",
"generator": {
"date": "2022-09-02T13:02:21Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:3004-1",
"initial_release_date": "2022-09-02T13:02:21Z",
"revision_history": [
{
"date": "2022-09-02T13:02:21Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "curl-7.66.0-150200.4.39.1.aarch64",
"product": {
"name": "curl-7.66.0-150200.4.39.1.aarch64",
"product_id": "curl-7.66.0-150200.4.39.1.aarch64"
}
},
{
"category": "product_version",
"name": "curl-mini-7.66.0-150200.4.39.1.aarch64",
"product": {
"name": "curl-mini-7.66.0-150200.4.39.1.aarch64",
"product_id": "curl-mini-7.66.0-150200.4.39.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"product": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"product_id": "libcurl-devel-7.66.0-150200.4.39.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.aarch64",
"product": {
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.aarch64",
"product_id": "libcurl-mini-devel-7.66.0-150200.4.39.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.66.0-150200.4.39.1.aarch64",
"product": {
"name": "libcurl4-7.66.0-150200.4.39.1.aarch64",
"product_id": "libcurl4-7.66.0-150200.4.39.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.66.0-150200.4.39.1.aarch64",
"product": {
"name": "libcurl4-mini-7.66.0-150200.4.39.1.aarch64",
"product_id": "libcurl4-mini-7.66.0-150200.4.39.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libcurl-devel-64bit-7.66.0-150200.4.39.1.aarch64_ilp32",
"product": {
"name": "libcurl-devel-64bit-7.66.0-150200.4.39.1.aarch64_ilp32",
"product_id": "libcurl-devel-64bit-7.66.0-150200.4.39.1.aarch64_ilp32"
}
},
{
"category": "product_version",
"name": "libcurl4-64bit-7.66.0-150200.4.39.1.aarch64_ilp32",
"product": {
"name": "libcurl4-64bit-7.66.0-150200.4.39.1.aarch64_ilp32",
"product_id": "libcurl4-64bit-7.66.0-150200.4.39.1.aarch64_ilp32"
}
}
],
"category": "architecture",
"name": "aarch64_ilp32"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.66.0-150200.4.39.1.i586",
"product": {
"name": "curl-7.66.0-150200.4.39.1.i586",
"product_id": "curl-7.66.0-150200.4.39.1.i586"
}
},
{
"category": "product_version",
"name": "curl-mini-7.66.0-150200.4.39.1.i586",
"product": {
"name": "curl-mini-7.66.0-150200.4.39.1.i586",
"product_id": "curl-mini-7.66.0-150200.4.39.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.66.0-150200.4.39.1.i586",
"product": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.i586",
"product_id": "libcurl-devel-7.66.0-150200.4.39.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.i586",
"product": {
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.i586",
"product_id": "libcurl-mini-devel-7.66.0-150200.4.39.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-7.66.0-150200.4.39.1.i586",
"product": {
"name": "libcurl4-7.66.0-150200.4.39.1.i586",
"product_id": "libcurl4-7.66.0-150200.4.39.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.66.0-150200.4.39.1.i586",
"product": {
"name": "libcurl4-mini-7.66.0-150200.4.39.1.i586",
"product_id": "libcurl4-mini-7.66.0-150200.4.39.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.66.0-150200.4.39.1.ppc64le",
"product": {
"name": "curl-7.66.0-150200.4.39.1.ppc64le",
"product_id": "curl-7.66.0-150200.4.39.1.ppc64le"
}
},
{
"category": "product_version",
"name": "curl-mini-7.66.0-150200.4.39.1.ppc64le",
"product": {
"name": "curl-mini-7.66.0-150200.4.39.1.ppc64le",
"product_id": "curl-mini-7.66.0-150200.4.39.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"product": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"product_id": "libcurl-devel-7.66.0-150200.4.39.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.ppc64le",
"product": {
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.ppc64le",
"product_id": "libcurl-mini-devel-7.66.0-150200.4.39.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-7.66.0-150200.4.39.1.ppc64le",
"product": {
"name": "libcurl4-7.66.0-150200.4.39.1.ppc64le",
"product_id": "libcurl4-7.66.0-150200.4.39.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.66.0-150200.4.39.1.ppc64le",
"product": {
"name": "libcurl4-mini-7.66.0-150200.4.39.1.ppc64le",
"product_id": "libcurl4-mini-7.66.0-150200.4.39.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.66.0-150200.4.39.1.s390x",
"product": {
"name": "curl-7.66.0-150200.4.39.1.s390x",
"product_id": "curl-7.66.0-150200.4.39.1.s390x"
}
},
{
"category": "product_version",
"name": "curl-mini-7.66.0-150200.4.39.1.s390x",
"product": {
"name": "curl-mini-7.66.0-150200.4.39.1.s390x",
"product_id": "curl-mini-7.66.0-150200.4.39.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.66.0-150200.4.39.1.s390x",
"product": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.s390x",
"product_id": "libcurl-devel-7.66.0-150200.4.39.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.s390x",
"product": {
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.s390x",
"product_id": "libcurl-mini-devel-7.66.0-150200.4.39.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-7.66.0-150200.4.39.1.s390x",
"product": {
"name": "libcurl4-7.66.0-150200.4.39.1.s390x",
"product_id": "libcurl4-7.66.0-150200.4.39.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.66.0-150200.4.39.1.s390x",
"product": {
"name": "libcurl4-mini-7.66.0-150200.4.39.1.s390x",
"product_id": "libcurl4-mini-7.66.0-150200.4.39.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.66.0-150200.4.39.1.x86_64",
"product": {
"name": "curl-7.66.0-150200.4.39.1.x86_64",
"product_id": "curl-7.66.0-150200.4.39.1.x86_64"
}
},
{
"category": "product_version",
"name": "curl-mini-7.66.0-150200.4.39.1.x86_64",
"product": {
"name": "curl-mini-7.66.0-150200.4.39.1.x86_64",
"product_id": "curl-mini-7.66.0-150200.4.39.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"product": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"product_id": "libcurl-devel-7.66.0-150200.4.39.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64",
"product": {
"name": "libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64",
"product_id": "libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.x86_64",
"product": {
"name": "libcurl-mini-devel-7.66.0-150200.4.39.1.x86_64",
"product_id": "libcurl-mini-devel-7.66.0-150200.4.39.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.66.0-150200.4.39.1.x86_64",
"product": {
"name": "libcurl4-7.66.0-150200.4.39.1.x86_64",
"product_id": "libcurl4-7.66.0-150200.4.39.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"product": {
"name": "libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"product_id": "libcurl4-32bit-7.66.0-150200.4.39.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.66.0-150200.4.39.1.x86_64",
"product": {
"name": "libcurl4-mini-7.66.0-150200.4.39.1.x86_64",
"product_id": "libcurl4-mini-7.66.0-150200.4.39.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.1",
"product": {
"name": "SUSE Linux Enterprise Micro 5.1",
"product_id": "SUSE Linux Enterprise Micro 5.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-microos:5.1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.2",
"product": {
"name": "SUSE Linux Enterprise Micro 5.2",
"product_id": "SUSE Linux Enterprise Micro 5.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-microos:5.2"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap Micro 5.2",
"product": {
"name": "openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap-micro:5.2"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.ppc64le"
},
"product_reference": "curl-7.66.0-150200.4.39.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "curl-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le"
},
"product_reference": "libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "libcurl-devel-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.ppc64le"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.66.0-150200.4.39.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.aarch64 as component of SUSE Linux Enterprise Micro 5.1",
"product_id": "SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.s390x as component of SUSE Linux Enterprise Micro 5.1",
"product_id": "SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "curl-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.x86_64 as component of SUSE Linux Enterprise Micro 5.1",
"product_id": "SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.aarch64 as component of SUSE Linux Enterprise Micro 5.1",
"product_id": "SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.s390x as component of SUSE Linux Enterprise Micro 5.1",
"product_id": "SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.x86_64 as component of SUSE Linux Enterprise Micro 5.1",
"product_id": "SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.aarch64 as component of SUSE Linux Enterprise Micro 5.2",
"product_id": "SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.s390x as component of SUSE Linux Enterprise Micro 5.2",
"product_id": "SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "curl-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.x86_64 as component of SUSE Linux Enterprise Micro 5.2",
"product_id": "SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.aarch64 as component of SUSE Linux Enterprise Micro 5.2",
"product_id": "SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.s390x as component of SUSE Linux Enterprise Micro 5.2",
"product_id": "SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.x86_64 as component of SUSE Linux Enterprise Micro 5.2",
"product_id": "SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.aarch64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.x86_64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.aarch64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.x86_64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.ppc64le"
},
"product_reference": "curl-7.66.0-150200.4.39.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "curl-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.66.0-150200.4.39.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "curl-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le"
},
"product_reference": "libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "libcurl-devel-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.66.0-150200.4.39.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.aarch64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.ppc64le"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.s390x"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.66.0-150200.4.39.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl4-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.66.0-150200.4.39.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-35252",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35252"
}
],
"notes": [
{
"category": "general",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35252",
"url": "https://www.suse.com/security/cve/CVE-2022-35252"
},
{
"category": "external",
"summary": "SUSE Bug 1202593 for CVE-2022-35252",
"url": "https://bugzilla.suse.com/1202593"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.1:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.1:libcurl4-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:curl-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP3:libcurl4-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:curl-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl-devel-32bit-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:libcurl-devel-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl4-32bit-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.ppc64le",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.s390x",
"openSUSE Leap 15.3:libcurl4-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap Micro 5.2:curl-7.66.0-150200.4.39.1.x86_64",
"openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.aarch64",
"openSUSE Leap Micro 5.2:libcurl4-7.66.0-150200.4.39.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-02T13:02:21Z",
"details": "moderate"
}
],
"title": "CVE-2022-35252"
}
]
}
SUSE-SU-2022:3005-1
Vulnerability from csaf_suse - Published: 2022-09-02 13:02 - Updated: 2022-09-02 13:02Summary
Security update for curl
Severity
Low
Notes
Title of the patch: Security update for curl
Description of the patch: This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters
into cookies, which could be exploited by sister sites to cause a
denial of service (bsc#1202593).
Patchnames: SUSE-2022-3005,SUSE-SLE-SDK-12-SP5-2022-3005,SUSE-SLE-SERVER-12-SP5-2022-3005
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for curl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for curl fixes the following issues:\n\n- CVE-2022-35252: Fixed a potential injection of control characters\n into cookies, which could be exploited by sister sites to cause a\n denial of service (bsc#1202593).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-3005,SUSE-SLE-SDK-12-SP5-2022-3005,SUSE-SLE-SERVER-12-SP5-2022-3005",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3005-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:3005-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20223005-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:3005-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012068.html"
},
{
"category": "self",
"summary": "SUSE Bug 1202593",
"url": "https://bugzilla.suse.com/1202593"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35252 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35252/"
}
],
"title": "Security update for curl",
"tracking": {
"current_release_date": "2022-09-02T13:02:57Z",
"generator": {
"date": "2022-09-02T13:02:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:3005-1",
"initial_release_date": "2022-09-02T13:02:57Z",
"revision_history": [
{
"date": "2022-09-02T13:02:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-11.46.1.aarch64",
"product": {
"name": "curl-7.60.0-11.46.1.aarch64",
"product_id": "curl-7.60.0-11.46.1.aarch64"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-11.46.1.aarch64",
"product": {
"name": "curl-mini-7.60.0-11.46.1.aarch64",
"product_id": "curl-mini-7.60.0-11.46.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-11.46.1.aarch64",
"product": {
"name": "libcurl-devel-7.60.0-11.46.1.aarch64",
"product_id": "libcurl-devel-7.60.0-11.46.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-11.46.1.aarch64",
"product": {
"name": "libcurl-mini-devel-7.60.0-11.46.1.aarch64",
"product_id": "libcurl-mini-devel-7.60.0-11.46.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-11.46.1.aarch64",
"product": {
"name": "libcurl4-7.60.0-11.46.1.aarch64",
"product_id": "libcurl4-7.60.0-11.46.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-11.46.1.aarch64",
"product": {
"name": "libcurl4-mini-7.60.0-11.46.1.aarch64",
"product_id": "libcurl4-mini-7.60.0-11.46.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libcurl-devel-64bit-7.60.0-11.46.1.aarch64_ilp32",
"product": {
"name": "libcurl-devel-64bit-7.60.0-11.46.1.aarch64_ilp32",
"product_id": "libcurl-devel-64bit-7.60.0-11.46.1.aarch64_ilp32"
}
},
{
"category": "product_version",
"name": "libcurl4-64bit-7.60.0-11.46.1.aarch64_ilp32",
"product": {
"name": "libcurl4-64bit-7.60.0-11.46.1.aarch64_ilp32",
"product_id": "libcurl4-64bit-7.60.0-11.46.1.aarch64_ilp32"
}
}
],
"category": "architecture",
"name": "aarch64_ilp32"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-11.46.1.i586",
"product": {
"name": "curl-7.60.0-11.46.1.i586",
"product_id": "curl-7.60.0-11.46.1.i586"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-11.46.1.i586",
"product": {
"name": "curl-mini-7.60.0-11.46.1.i586",
"product_id": "curl-mini-7.60.0-11.46.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-11.46.1.i586",
"product": {
"name": "libcurl-devel-7.60.0-11.46.1.i586",
"product_id": "libcurl-devel-7.60.0-11.46.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-11.46.1.i586",
"product": {
"name": "libcurl-mini-devel-7.60.0-11.46.1.i586",
"product_id": "libcurl-mini-devel-7.60.0-11.46.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-11.46.1.i586",
"product": {
"name": "libcurl4-7.60.0-11.46.1.i586",
"product_id": "libcurl4-7.60.0-11.46.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-11.46.1.i586",
"product": {
"name": "libcurl4-mini-7.60.0-11.46.1.i586",
"product_id": "libcurl4-mini-7.60.0-11.46.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-11.46.1.ppc64le",
"product": {
"name": "curl-7.60.0-11.46.1.ppc64le",
"product_id": "curl-7.60.0-11.46.1.ppc64le"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-11.46.1.ppc64le",
"product": {
"name": "curl-mini-7.60.0-11.46.1.ppc64le",
"product_id": "curl-mini-7.60.0-11.46.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-11.46.1.ppc64le",
"product": {
"name": "libcurl-devel-7.60.0-11.46.1.ppc64le",
"product_id": "libcurl-devel-7.60.0-11.46.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-11.46.1.ppc64le",
"product": {
"name": "libcurl-mini-devel-7.60.0-11.46.1.ppc64le",
"product_id": "libcurl-mini-devel-7.60.0-11.46.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-11.46.1.ppc64le",
"product": {
"name": "libcurl4-7.60.0-11.46.1.ppc64le",
"product_id": "libcurl4-7.60.0-11.46.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-11.46.1.ppc64le",
"product": {
"name": "libcurl4-mini-7.60.0-11.46.1.ppc64le",
"product_id": "libcurl4-mini-7.60.0-11.46.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-11.46.1.s390",
"product": {
"name": "curl-7.60.0-11.46.1.s390",
"product_id": "curl-7.60.0-11.46.1.s390"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-11.46.1.s390",
"product": {
"name": "curl-mini-7.60.0-11.46.1.s390",
"product_id": "curl-mini-7.60.0-11.46.1.s390"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-11.46.1.s390",
"product": {
"name": "libcurl-devel-7.60.0-11.46.1.s390",
"product_id": "libcurl-devel-7.60.0-11.46.1.s390"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-11.46.1.s390",
"product": {
"name": "libcurl-mini-devel-7.60.0-11.46.1.s390",
"product_id": "libcurl-mini-devel-7.60.0-11.46.1.s390"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-11.46.1.s390",
"product": {
"name": "libcurl4-7.60.0-11.46.1.s390",
"product_id": "libcurl4-7.60.0-11.46.1.s390"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-11.46.1.s390",
"product": {
"name": "libcurl4-mini-7.60.0-11.46.1.s390",
"product_id": "libcurl4-mini-7.60.0-11.46.1.s390"
}
}
],
"category": "architecture",
"name": "s390"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-11.46.1.s390x",
"product": {
"name": "curl-7.60.0-11.46.1.s390x",
"product_id": "curl-7.60.0-11.46.1.s390x"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-11.46.1.s390x",
"product": {
"name": "curl-mini-7.60.0-11.46.1.s390x",
"product_id": "curl-mini-7.60.0-11.46.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-11.46.1.s390x",
"product": {
"name": "libcurl-devel-7.60.0-11.46.1.s390x",
"product_id": "libcurl-devel-7.60.0-11.46.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-devel-32bit-7.60.0-11.46.1.s390x",
"product": {
"name": "libcurl-devel-32bit-7.60.0-11.46.1.s390x",
"product_id": "libcurl-devel-32bit-7.60.0-11.46.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-11.46.1.s390x",
"product": {
"name": "libcurl-mini-devel-7.60.0-11.46.1.s390x",
"product_id": "libcurl-mini-devel-7.60.0-11.46.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-11.46.1.s390x",
"product": {
"name": "libcurl4-7.60.0-11.46.1.s390x",
"product_id": "libcurl4-7.60.0-11.46.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-32bit-7.60.0-11.46.1.s390x",
"product": {
"name": "libcurl4-32bit-7.60.0-11.46.1.s390x",
"product_id": "libcurl4-32bit-7.60.0-11.46.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-11.46.1.s390x",
"product": {
"name": "libcurl4-mini-7.60.0-11.46.1.s390x",
"product_id": "libcurl4-mini-7.60.0-11.46.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-11.46.1.x86_64",
"product": {
"name": "curl-7.60.0-11.46.1.x86_64",
"product_id": "curl-7.60.0-11.46.1.x86_64"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-11.46.1.x86_64",
"product": {
"name": "curl-mini-7.60.0-11.46.1.x86_64",
"product_id": "curl-mini-7.60.0-11.46.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-11.46.1.x86_64",
"product": {
"name": "libcurl-devel-7.60.0-11.46.1.x86_64",
"product_id": "libcurl-devel-7.60.0-11.46.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-32bit-7.60.0-11.46.1.x86_64",
"product": {
"name": "libcurl-devel-32bit-7.60.0-11.46.1.x86_64",
"product_id": "libcurl-devel-32bit-7.60.0-11.46.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-11.46.1.x86_64",
"product": {
"name": "libcurl-mini-devel-7.60.0-11.46.1.x86_64",
"product_id": "libcurl-mini-devel-7.60.0-11.46.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-11.46.1.x86_64",
"product": {
"name": "libcurl4-7.60.0-11.46.1.x86_64",
"product_id": "libcurl4-7.60.0-11.46.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-32bit-7.60.0-11.46.1.x86_64",
"product": {
"name": "libcurl4-32bit-7.60.0-11.46.1.x86_64",
"product_id": "libcurl4-32bit-7.60.0-11.46.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-11.46.1.x86_64",
"product": {
"name": "libcurl4-mini-7.60.0-11.46.1.x86_64",
"product_id": "libcurl4-mini-7.60.0-11.46.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-sdk:12:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:12:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-11.46.1.aarch64 as component of SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.aarch64"
},
"product_reference": "libcurl-devel-7.60.0-11.46.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-11.46.1.ppc64le as component of SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.ppc64le"
},
"product_reference": "libcurl-devel-7.60.0-11.46.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-11.46.1.s390x as component of SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.s390x"
},
"product_reference": "libcurl-devel-7.60.0-11.46.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-11.46.1.x86_64 as component of SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-11.46.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-11.46.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.aarch64"
},
"product_reference": "curl-7.60.0-11.46.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-11.46.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.ppc64le"
},
"product_reference": "curl-7.60.0-11.46.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-11.46.1.s390x as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.s390x"
},
"product_reference": "curl-7.60.0-11.46.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-11.46.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.x86_64"
},
"product_reference": "curl-7.60.0-11.46.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-11.46.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-11.46.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-11.46.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le"
},
"product_reference": "libcurl4-7.60.0-11.46.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-11.46.1.s390x as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.s390x"
},
"product_reference": "libcurl4-7.60.0-11.46.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-11.46.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-11.46.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-11.46.1.s390x as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x"
},
"product_reference": "libcurl4-32bit-7.60.0-11.46.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-11.46.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-11.46.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-11.46.1.aarch64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.aarch64"
},
"product_reference": "curl-7.60.0-11.46.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-11.46.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.ppc64le"
},
"product_reference": "curl-7.60.0-11.46.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-11.46.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.s390x"
},
"product_reference": "curl-7.60.0-11.46.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-11.46.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.x86_64"
},
"product_reference": "curl-7.60.0-11.46.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-11.46.1.aarch64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-11.46.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-11.46.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le"
},
"product_reference": "libcurl4-7.60.0-11.46.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-11.46.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.s390x"
},
"product_reference": "libcurl4-7.60.0-11.46.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-11.46.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-11.46.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-11.46.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x"
},
"product_reference": "libcurl4-32bit-7.60.0-11.46.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-11.46.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-11.46.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-35252",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35252"
}
],
"notes": [
{
"category": "general",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35252",
"url": "https://www.suse.com/security/cve/CVE-2022-35252"
},
{
"category": "external",
"summary": "SUSE Bug 1202593 for CVE-2022-35252",
"url": "https://bugzilla.suse.com/1202593"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:curl-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:libcurl4-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:curl-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-32bit-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcurl4-7.60.0-11.46.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.aarch64",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.ppc64le",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.s390x",
"SUSE Linux Enterprise Software Development Kit 12 SP5:libcurl-devel-7.60.0-11.46.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-02T13:02:57Z",
"details": "moderate"
}
],
"title": "CVE-2022-35252"
}
]
}
SUSE-SU-2022:3772-1
Vulnerability from csaf_suse - Published: 2022-10-26 10:18 - Updated: 2022-10-26 10:18Summary
Security update for curl
Severity
Important
Notes
Title of the patch: Security update for curl
Description of the patch: This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
Patchnames: SUSE-2022-3772,SUSE-OpenStack-Cloud-9-2022-3772,SUSE-OpenStack-Cloud-Crowbar-9-2022-3772,SUSE-SLE-SAP-12-SP4-2022-3772,SUSE-SLE-SERVER-12-SP4-LTSS-2022-3772
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Affected products
Recommended
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for curl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for curl fixes the following issues:\n\n - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).\n - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). \n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-3772,SUSE-OpenStack-Cloud-9-2022-3772,SUSE-OpenStack-Cloud-Crowbar-9-2022-3772,SUSE-SLE-SAP-12-SP4-2022-3772,SUSE-SLE-SERVER-12-SP4-LTSS-2022-3772",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3772-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:3772-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20223772-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:3772-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012708.html"
},
{
"category": "self",
"summary": "SUSE Bug 1202593",
"url": "https://bugzilla.suse.com/1202593"
},
{
"category": "self",
"summary": "SUSE Bug 1204383",
"url": "https://bugzilla.suse.com/1204383"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32221 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32221/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35252 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35252/"
}
],
"title": "Security update for curl",
"tracking": {
"current_release_date": "2022-10-26T10:18:17Z",
"generator": {
"date": "2022-10-26T10:18:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:3772-1",
"initial_release_date": "2022-10-26T10:18:17Z",
"revision_history": [
{
"date": "2022-10-26T10:18:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-4.43.1.aarch64",
"product": {
"name": "curl-7.60.0-4.43.1.aarch64",
"product_id": "curl-7.60.0-4.43.1.aarch64"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-4.43.1.aarch64",
"product": {
"name": "curl-mini-7.60.0-4.43.1.aarch64",
"product_id": "curl-mini-7.60.0-4.43.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-4.43.1.aarch64",
"product": {
"name": "libcurl-devel-7.60.0-4.43.1.aarch64",
"product_id": "libcurl-devel-7.60.0-4.43.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-4.43.1.aarch64",
"product": {
"name": "libcurl-mini-devel-7.60.0-4.43.1.aarch64",
"product_id": "libcurl-mini-devel-7.60.0-4.43.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-4.43.1.aarch64",
"product": {
"name": "libcurl4-7.60.0-4.43.1.aarch64",
"product_id": "libcurl4-7.60.0-4.43.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-4.43.1.aarch64",
"product": {
"name": "libcurl4-mini-7.60.0-4.43.1.aarch64",
"product_id": "libcurl4-mini-7.60.0-4.43.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libcurl-devel-64bit-7.60.0-4.43.1.aarch64_ilp32",
"product": {
"name": "libcurl-devel-64bit-7.60.0-4.43.1.aarch64_ilp32",
"product_id": "libcurl-devel-64bit-7.60.0-4.43.1.aarch64_ilp32"
}
},
{
"category": "product_version",
"name": "libcurl4-64bit-7.60.0-4.43.1.aarch64_ilp32",
"product": {
"name": "libcurl4-64bit-7.60.0-4.43.1.aarch64_ilp32",
"product_id": "libcurl4-64bit-7.60.0-4.43.1.aarch64_ilp32"
}
}
],
"category": "architecture",
"name": "aarch64_ilp32"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-4.43.1.i586",
"product": {
"name": "curl-7.60.0-4.43.1.i586",
"product_id": "curl-7.60.0-4.43.1.i586"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-4.43.1.i586",
"product": {
"name": "curl-mini-7.60.0-4.43.1.i586",
"product_id": "curl-mini-7.60.0-4.43.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-4.43.1.i586",
"product": {
"name": "libcurl-devel-7.60.0-4.43.1.i586",
"product_id": "libcurl-devel-7.60.0-4.43.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-4.43.1.i586",
"product": {
"name": "libcurl-mini-devel-7.60.0-4.43.1.i586",
"product_id": "libcurl-mini-devel-7.60.0-4.43.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-4.43.1.i586",
"product": {
"name": "libcurl4-7.60.0-4.43.1.i586",
"product_id": "libcurl4-7.60.0-4.43.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-4.43.1.i586",
"product": {
"name": "libcurl4-mini-7.60.0-4.43.1.i586",
"product_id": "libcurl4-mini-7.60.0-4.43.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-4.43.1.ppc64le",
"product": {
"name": "curl-7.60.0-4.43.1.ppc64le",
"product_id": "curl-7.60.0-4.43.1.ppc64le"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-4.43.1.ppc64le",
"product": {
"name": "curl-mini-7.60.0-4.43.1.ppc64le",
"product_id": "curl-mini-7.60.0-4.43.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-4.43.1.ppc64le",
"product": {
"name": "libcurl-devel-7.60.0-4.43.1.ppc64le",
"product_id": "libcurl-devel-7.60.0-4.43.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-4.43.1.ppc64le",
"product": {
"name": "libcurl-mini-devel-7.60.0-4.43.1.ppc64le",
"product_id": "libcurl-mini-devel-7.60.0-4.43.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-4.43.1.ppc64le",
"product": {
"name": "libcurl4-7.60.0-4.43.1.ppc64le",
"product_id": "libcurl4-7.60.0-4.43.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-4.43.1.ppc64le",
"product": {
"name": "libcurl4-mini-7.60.0-4.43.1.ppc64le",
"product_id": "libcurl4-mini-7.60.0-4.43.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-4.43.1.s390",
"product": {
"name": "curl-7.60.0-4.43.1.s390",
"product_id": "curl-7.60.0-4.43.1.s390"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-4.43.1.s390",
"product": {
"name": "curl-mini-7.60.0-4.43.1.s390",
"product_id": "curl-mini-7.60.0-4.43.1.s390"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-4.43.1.s390",
"product": {
"name": "libcurl-devel-7.60.0-4.43.1.s390",
"product_id": "libcurl-devel-7.60.0-4.43.1.s390"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-4.43.1.s390",
"product": {
"name": "libcurl-mini-devel-7.60.0-4.43.1.s390",
"product_id": "libcurl-mini-devel-7.60.0-4.43.1.s390"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-4.43.1.s390",
"product": {
"name": "libcurl4-7.60.0-4.43.1.s390",
"product_id": "libcurl4-7.60.0-4.43.1.s390"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-4.43.1.s390",
"product": {
"name": "libcurl4-mini-7.60.0-4.43.1.s390",
"product_id": "libcurl4-mini-7.60.0-4.43.1.s390"
}
}
],
"category": "architecture",
"name": "s390"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-4.43.1.s390x",
"product": {
"name": "curl-7.60.0-4.43.1.s390x",
"product_id": "curl-7.60.0-4.43.1.s390x"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-4.43.1.s390x",
"product": {
"name": "curl-mini-7.60.0-4.43.1.s390x",
"product_id": "curl-mini-7.60.0-4.43.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-4.43.1.s390x",
"product": {
"name": "libcurl-devel-7.60.0-4.43.1.s390x",
"product_id": "libcurl-devel-7.60.0-4.43.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-devel-32bit-7.60.0-4.43.1.s390x",
"product": {
"name": "libcurl-devel-32bit-7.60.0-4.43.1.s390x",
"product_id": "libcurl-devel-32bit-7.60.0-4.43.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-4.43.1.s390x",
"product": {
"name": "libcurl-mini-devel-7.60.0-4.43.1.s390x",
"product_id": "libcurl-mini-devel-7.60.0-4.43.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-4.43.1.s390x",
"product": {
"name": "libcurl4-7.60.0-4.43.1.s390x",
"product_id": "libcurl4-7.60.0-4.43.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-32bit-7.60.0-4.43.1.s390x",
"product": {
"name": "libcurl4-32bit-7.60.0-4.43.1.s390x",
"product_id": "libcurl4-32bit-7.60.0-4.43.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-4.43.1.s390x",
"product": {
"name": "libcurl4-mini-7.60.0-4.43.1.s390x",
"product_id": "libcurl4-mini-7.60.0-4.43.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-4.43.1.x86_64",
"product": {
"name": "curl-7.60.0-4.43.1.x86_64",
"product_id": "curl-7.60.0-4.43.1.x86_64"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-4.43.1.x86_64",
"product": {
"name": "curl-mini-7.60.0-4.43.1.x86_64",
"product_id": "curl-mini-7.60.0-4.43.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-4.43.1.x86_64",
"product": {
"name": "libcurl-devel-7.60.0-4.43.1.x86_64",
"product_id": "libcurl-devel-7.60.0-4.43.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-32bit-7.60.0-4.43.1.x86_64",
"product": {
"name": "libcurl-devel-32bit-7.60.0-4.43.1.x86_64",
"product_id": "libcurl-devel-32bit-7.60.0-4.43.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-4.43.1.x86_64",
"product": {
"name": "libcurl-mini-devel-7.60.0-4.43.1.x86_64",
"product_id": "libcurl-mini-devel-7.60.0-4.43.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-4.43.1.x86_64",
"product": {
"name": "libcurl4-7.60.0-4.43.1.x86_64",
"product_id": "libcurl4-7.60.0-4.43.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-32bit-7.60.0-4.43.1.x86_64",
"product": {
"name": "libcurl4-32bit-7.60.0-4.43.1.x86_64",
"product_id": "libcurl4-32bit-7.60.0-4.43.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-4.43.1.x86_64",
"product": {
"name": "libcurl4-mini-7.60.0-4.43.1.x86_64",
"product_id": "libcurl4-mini-7.60.0-4.43.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 9",
"product": {
"name": "SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:9"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 9",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:9"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:12:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-4.43.1.x86_64 as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64"
},
"product_reference": "curl-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-4.43.1.x86_64 as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-4.43.1.x86_64 as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-4.43.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64"
},
"product_reference": "curl-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-4.43.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-4.43.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-4.43.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le"
},
"product_reference": "curl-7.60.0-4.43.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-4.43.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64"
},
"product_reference": "curl-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-4.43.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le"
},
"product_reference": "libcurl4-7.60.0-4.43.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-4.43.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-4.43.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-4.43.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64"
},
"product_reference": "curl-7.60.0-4.43.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-4.43.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le"
},
"product_reference": "curl-7.60.0-4.43.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-4.43.1.s390x as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x"
},
"product_reference": "curl-7.60.0-4.43.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-4.43.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64"
},
"product_reference": "curl-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-4.43.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-4.43.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-4.43.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le"
},
"product_reference": "libcurl4-7.60.0-4.43.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-4.43.1.s390x as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x"
},
"product_reference": "libcurl4-7.60.0-4.43.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-4.43.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-4.43.1.s390x as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x"
},
"product_reference": "libcurl4-32bit-7.60.0-4.43.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-4.43.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-4.43.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-32221",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32221"
}
],
"notes": [
{
"category": "general",
"text": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32221",
"url": "https://www.suse.com/security/cve/CVE-2022-32221"
},
{
"category": "external",
"summary": "SUSE Bug 1204383 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1204383"
},
{
"category": "external",
"summary": "SUSE Bug 1205287 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1205287"
},
{
"category": "external",
"summary": "SUSE Bug 1205834 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1205834"
},
{
"category": "external",
"summary": "SUSE Bug 1206236 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1206236"
},
{
"category": "external",
"summary": "SUSE Bug 1208340 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1208340"
},
{
"category": "external",
"summary": "SUSE Bug 1211233 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1211233"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-10-26T10:18:17Z",
"details": "important"
}
],
"title": "CVE-2022-32221"
},
{
"cve": "CVE-2022-35252",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35252"
}
],
"notes": [
{
"category": "general",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35252",
"url": "https://www.suse.com/security/cve/CVE-2022-35252"
},
{
"category": "external",
"summary": "SUSE Bug 1202593 for CVE-2022-35252",
"url": "https://bugzilla.suse.com/1202593"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.aarch64",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.s390x",
"SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.43.1.x86_64",
"SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.43.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-10-26T10:18:17Z",
"details": "moderate"
}
],
"title": "CVE-2022-35252"
}
]
}
SUSE-SU-2022:3774-1
Vulnerability from csaf_suse - Published: 2022-10-26 10:21 - Updated: 2022-10-26 10:21Summary
Security update for curl
Severity
Important
Notes
Title of the patch: Security update for curl
Description of the patch: This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
- CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).
Patchnames: SUSE-2022-3774,SUSE-SLE-Product-HPC-15-2022-3774,SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-3774,SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-3774,SUSE-SLE-Product-SLES-15-2022-3774,SUSE-SLE-Product-SLES-15-SP1-BCL-2022-3774,SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-3774,SUSE-SLE-Product-SLES_SAP-15-2022-3774,SUSE-SLE-Product-SLES_SAP-15-SP1-2022-3774,SUSE-Storage-6-2022-3774
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Affected products
Recommended
79 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
79 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for curl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for curl fixes the following issues:\n\n - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).\n - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-3774,SUSE-SLE-Product-HPC-15-2022-3774,SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-3774,SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-3774,SUSE-SLE-Product-SLES-15-2022-3774,SUSE-SLE-Product-SLES-15-SP1-BCL-2022-3774,SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-3774,SUSE-SLE-Product-SLES_SAP-15-2022-3774,SUSE-SLE-Product-SLES_SAP-15-SP1-2022-3774,SUSE-Storage-6-2022-3774",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3774-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:3774-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20223774-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:3774-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012702.html"
},
{
"category": "self",
"summary": "SUSE Bug 1202593",
"url": "https://bugzilla.suse.com/1202593"
},
{
"category": "self",
"summary": "SUSE Bug 1204383",
"url": "https://bugzilla.suse.com/1204383"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32221 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32221/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35252 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35252/"
}
],
"title": "Security update for curl",
"tracking": {
"current_release_date": "2022-10-26T10:21:39Z",
"generator": {
"date": "2022-10-26T10:21:39Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:3774-1",
"initial_release_date": "2022-10-26T10:21:39Z",
"revision_history": [
{
"date": "2022-10-26T10:21:39Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-150000.38.1.aarch64",
"product": {
"name": "curl-7.60.0-150000.38.1.aarch64",
"product_id": "curl-7.60.0-150000.38.1.aarch64"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-150000.38.1.aarch64",
"product": {
"name": "curl-mini-7.60.0-150000.38.1.aarch64",
"product_id": "curl-mini-7.60.0-150000.38.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"product": {
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"product_id": "libcurl-devel-7.60.0-150000.38.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-150000.38.1.aarch64",
"product": {
"name": "libcurl-mini-devel-7.60.0-150000.38.1.aarch64",
"product_id": "libcurl-mini-devel-7.60.0-150000.38.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-150000.38.1.aarch64",
"product": {
"name": "libcurl4-7.60.0-150000.38.1.aarch64",
"product_id": "libcurl4-7.60.0-150000.38.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-150000.38.1.aarch64",
"product": {
"name": "libcurl4-mini-7.60.0-150000.38.1.aarch64",
"product_id": "libcurl4-mini-7.60.0-150000.38.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libcurl-devel-64bit-7.60.0-150000.38.1.aarch64_ilp32",
"product": {
"name": "libcurl-devel-64bit-7.60.0-150000.38.1.aarch64_ilp32",
"product_id": "libcurl-devel-64bit-7.60.0-150000.38.1.aarch64_ilp32"
}
},
{
"category": "product_version",
"name": "libcurl4-64bit-7.60.0-150000.38.1.aarch64_ilp32",
"product": {
"name": "libcurl4-64bit-7.60.0-150000.38.1.aarch64_ilp32",
"product_id": "libcurl4-64bit-7.60.0-150000.38.1.aarch64_ilp32"
}
}
],
"category": "architecture",
"name": "aarch64_ilp32"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-150000.38.1.i586",
"product": {
"name": "curl-7.60.0-150000.38.1.i586",
"product_id": "curl-7.60.0-150000.38.1.i586"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-150000.38.1.i586",
"product": {
"name": "curl-mini-7.60.0-150000.38.1.i586",
"product_id": "curl-mini-7.60.0-150000.38.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-150000.38.1.i586",
"product": {
"name": "libcurl-devel-7.60.0-150000.38.1.i586",
"product_id": "libcurl-devel-7.60.0-150000.38.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-150000.38.1.i586",
"product": {
"name": "libcurl-mini-devel-7.60.0-150000.38.1.i586",
"product_id": "libcurl-mini-devel-7.60.0-150000.38.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-150000.38.1.i586",
"product": {
"name": "libcurl4-7.60.0-150000.38.1.i586",
"product_id": "libcurl4-7.60.0-150000.38.1.i586"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-150000.38.1.i586",
"product": {
"name": "libcurl4-mini-7.60.0-150000.38.1.i586",
"product_id": "libcurl4-mini-7.60.0-150000.38.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-150000.38.1.ppc64le",
"product": {
"name": "curl-7.60.0-150000.38.1.ppc64le",
"product_id": "curl-7.60.0-150000.38.1.ppc64le"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-150000.38.1.ppc64le",
"product": {
"name": "curl-mini-7.60.0-150000.38.1.ppc64le",
"product_id": "curl-mini-7.60.0-150000.38.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-150000.38.1.ppc64le",
"product": {
"name": "libcurl-devel-7.60.0-150000.38.1.ppc64le",
"product_id": "libcurl-devel-7.60.0-150000.38.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-150000.38.1.ppc64le",
"product": {
"name": "libcurl-mini-devel-7.60.0-150000.38.1.ppc64le",
"product_id": "libcurl-mini-devel-7.60.0-150000.38.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-150000.38.1.ppc64le",
"product": {
"name": "libcurl4-7.60.0-150000.38.1.ppc64le",
"product_id": "libcurl4-7.60.0-150000.38.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-150000.38.1.ppc64le",
"product": {
"name": "libcurl4-mini-7.60.0-150000.38.1.ppc64le",
"product_id": "libcurl4-mini-7.60.0-150000.38.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-150000.38.1.s390x",
"product": {
"name": "curl-7.60.0-150000.38.1.s390x",
"product_id": "curl-7.60.0-150000.38.1.s390x"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-150000.38.1.s390x",
"product": {
"name": "curl-mini-7.60.0-150000.38.1.s390x",
"product_id": "curl-mini-7.60.0-150000.38.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-150000.38.1.s390x",
"product": {
"name": "libcurl-devel-7.60.0-150000.38.1.s390x",
"product_id": "libcurl-devel-7.60.0-150000.38.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-150000.38.1.s390x",
"product": {
"name": "libcurl-mini-devel-7.60.0-150000.38.1.s390x",
"product_id": "libcurl-mini-devel-7.60.0-150000.38.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-150000.38.1.s390x",
"product": {
"name": "libcurl4-7.60.0-150000.38.1.s390x",
"product_id": "libcurl4-7.60.0-150000.38.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-150000.38.1.s390x",
"product": {
"name": "libcurl4-mini-7.60.0-150000.38.1.s390x",
"product_id": "libcurl4-mini-7.60.0-150000.38.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-7.60.0-150000.38.1.x86_64",
"product": {
"name": "curl-7.60.0-150000.38.1.x86_64",
"product_id": "curl-7.60.0-150000.38.1.x86_64"
}
},
{
"category": "product_version",
"name": "curl-mini-7.60.0-150000.38.1.x86_64",
"product": {
"name": "curl-mini-7.60.0-150000.38.1.x86_64",
"product_id": "curl-mini-7.60.0-150000.38.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"product": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"product_id": "libcurl-devel-7.60.0-150000.38.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-devel-32bit-7.60.0-150000.38.1.x86_64",
"product": {
"name": "libcurl-devel-32bit-7.60.0-150000.38.1.x86_64",
"product_id": "libcurl-devel-32bit-7.60.0-150000.38.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl-mini-devel-7.60.0-150000.38.1.x86_64",
"product": {
"name": "libcurl-mini-devel-7.60.0-150000.38.1.x86_64",
"product_id": "libcurl-mini-devel-7.60.0-150000.38.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-7.60.0-150000.38.1.x86_64",
"product": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64",
"product_id": "libcurl4-7.60.0-150000.38.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"product": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"product_id": "libcurl4-32bit-7.60.0-150000.38.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-mini-7.60.0-150000.38.1.x86_64",
"product": {
"name": "libcurl4-mini-7.60.0-150000.38.1.x86_64",
"product_id": "libcurl4-mini-7.60.0-150000.38.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP1-BCL",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP1-BCL",
"product_id": "SUSE Linux Enterprise Server 15 SP1-BCL",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_bcl:15:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP1-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 6",
"product": {
"name": "SUSE Enterprise Storage 6",
"product_id": "SUSE Enterprise Storage 6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64"
},
"product_reference": "curl-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64"
},
"product_reference": "curl-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64"
},
"product_reference": "curl-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64"
},
"product_reference": "curl-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64"
},
"product_reference": "curl-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "curl-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.s390x as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x"
},
"product_reference": "curl-7.60.0-150000.38.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.s390x as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.s390x as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-BCL",
"product_id": "SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-BCL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-BCL",
"product_id": "SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-BCL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-BCL",
"product_id": "SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-BCL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-BCL",
"product_id": "SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-BCL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64"
},
"product_reference": "curl-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "curl-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.s390x as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x"
},
"product_reference": "curl-7.60.0-150000.38.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.s390x as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.s390x as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "curl-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "curl-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.aarch64 as component of SUSE Enterprise Storage 6",
"product_id": "SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64"
},
"product_reference": "curl-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-7.60.0-150000.38.1.x86_64 as component of SUSE Enterprise Storage 6",
"product_id": "SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64"
},
"product_reference": "curl-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.aarch64 as component of SUSE Enterprise Storage 6",
"product_id": "SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl-devel-7.60.0-150000.38.1.x86_64 as component of SUSE Enterprise Storage 6",
"product_id": "SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl-devel-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.aarch64 as component of SUSE Enterprise Storage 6",
"product_id": "SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-7.60.0-150000.38.1.x86_64 as component of SUSE Enterprise Storage 6",
"product_id": "SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-32bit-7.60.0-150000.38.1.x86_64 as component of SUSE Enterprise Storage 6",
"product_id": "SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64"
},
"product_reference": "libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-32221",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32221"
}
],
"notes": [
{
"category": "general",
"text": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32221",
"url": "https://www.suse.com/security/cve/CVE-2022-32221"
},
{
"category": "external",
"summary": "SUSE Bug 1204383 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1204383"
},
{
"category": "external",
"summary": "SUSE Bug 1205287 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1205287"
},
{
"category": "external",
"summary": "SUSE Bug 1205834 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1205834"
},
{
"category": "external",
"summary": "SUSE Bug 1206236 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1206236"
},
{
"category": "external",
"summary": "SUSE Bug 1208340 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1208340"
},
{
"category": "external",
"summary": "SUSE Bug 1211233 for CVE-2022-32221",
"url": "https://bugzilla.suse.com/1211233"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-10-26T10:21:39Z",
"details": "important"
}
],
"title": "CVE-2022-32221"
},
{
"cve": "CVE-2022-35252",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35252"
}
],
"notes": [
{
"category": "general",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35252",
"url": "https://www.suse.com/security/cve/CVE-2022-35252"
},
{
"category": "external",
"summary": "SUSE Bug 1202593 for CVE-2022-35252",
"url": "https://bugzilla.suse.com/1202593"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:curl-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Enterprise Storage 6:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-BCL:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15 SP1-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP1:libcurl4-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:curl-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl-devel-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-32bit-7.60.0-150000.38.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:libcurl4-7.60.0-150000.38.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-10-26T10:21:39Z",
"details": "moderate"
}
],
"title": "CVE-2022-35252"
}
]
}
VAR-202208-2263
Vulnerability from variot - Updated: 2026-03-09 23:13When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings. A security vulnerability exists in curl versions 4.9 through 7.84. ========================================================================== Ubuntu Security Notice USN-5587-1 September 01, 2022
curl vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
curl could be denied access to a HTTP(S) content if it recieved a specially crafted cookie.
Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Axel Chong discovered that when curl accepted and sent back cookies containing control bytes that a HTTP(S) server might return a 400 (Bad Request Error) response. A malicious cookie host could possibly use this to cause denial-of-service.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04 LTS: curl 7.81.0-1ubuntu1.4 libcurl3-gnutls 7.81.0-1ubuntu1.4 libcurl3-nss 7.81.0-1ubuntu1.4 libcurl4 7.81.0-1ubuntu1.4
Ubuntu 20.04 LTS: curl 7.68.0-1ubuntu2.13 libcurl3-gnutls 7.68.0-1ubuntu2.13 libcurl3-nss 7.68.0-1ubuntu2.13 libcurl4 7.68.0-1ubuntu2.13
Ubuntu 18.04 LTS: curl 7.58.0-2ubuntu3.20 libcurl3-gnutls 7.58.0-2ubuntu3.20 libcurl3-nss 7.58.0-2ubuntu3.20 libcurl4 7.58.0-2ubuntu3.20
Ubuntu 16.04 ESM: curl 7.47.0-1ubuntu2.19+esm5 libcurl3 7.47.0-1ubuntu2.19+esm5 libcurl3-gnutls 7.47.0-1ubuntu2.19+esm5 libcurl3-nss 7.47.0-1ubuntu2.19+esm5
Ubuntu 14.04 ESM: curl 7.35.0-1ubuntu2.20+esm12 libcurl3 7.35.0-1ubuntu2.20+esm12 libcurl3-gnutls 7.35.0-1ubuntu2.20+esm12 libcurl3-nss 7.35.0-1ubuntu2.20+esm12
In general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202212-01
https://security.gentoo.org/
Severity: High Title: curl: Multiple Vulnerabilities Date: December 19, 2022 Bugs: #803308, #813270, #841302, #843824, #854708, #867679, #878365 ID: 202212-01
Synopsis
Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution.
Background
A command line tool and library for transferring data with URLs.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.86.0 >= 7.86.0
Description
Multiple vulnerabilities have been discovered in curl. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All curl users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-7.86.0"
References
[ 1 ] CVE-2021-22922 https://nvd.nist.gov/vuln/detail/CVE-2021-22922 [ 2 ] CVE-2021-22923 https://nvd.nist.gov/vuln/detail/CVE-2021-22923 [ 3 ] CVE-2021-22925 https://nvd.nist.gov/vuln/detail/CVE-2021-22925 [ 4 ] CVE-2021-22926 https://nvd.nist.gov/vuln/detail/CVE-2021-22926 [ 5 ] CVE-2021-22945 https://nvd.nist.gov/vuln/detail/CVE-2021-22945 [ 6 ] CVE-2021-22946 https://nvd.nist.gov/vuln/detail/CVE-2021-22946 [ 7 ] CVE-2021-22947 https://nvd.nist.gov/vuln/detail/CVE-2021-22947 [ 8 ] CVE-2022-22576 https://nvd.nist.gov/vuln/detail/CVE-2022-22576 [ 9 ] CVE-2022-27774 https://nvd.nist.gov/vuln/detail/CVE-2022-27774 [ 10 ] CVE-2022-27775 https://nvd.nist.gov/vuln/detail/CVE-2022-27775 [ 11 ] CVE-2022-27776 https://nvd.nist.gov/vuln/detail/CVE-2022-27776 [ 12 ] CVE-2022-27779 https://nvd.nist.gov/vuln/detail/CVE-2022-27779 [ 13 ] CVE-2022-27780 https://nvd.nist.gov/vuln/detail/CVE-2022-27780 [ 14 ] CVE-2022-27781 https://nvd.nist.gov/vuln/detail/CVE-2022-27781 [ 15 ] CVE-2022-27782 https://nvd.nist.gov/vuln/detail/CVE-2022-27782 [ 16 ] CVE-2022-30115 https://nvd.nist.gov/vuln/detail/CVE-2022-30115 [ 17 ] CVE-2022-32205 https://nvd.nist.gov/vuln/detail/CVE-2022-32205 [ 18 ] CVE-2022-32206 https://nvd.nist.gov/vuln/detail/CVE-2022-32206 [ 19 ] CVE-2022-32207 https://nvd.nist.gov/vuln/detail/CVE-2022-32207 [ 20 ] CVE-2022-32208 https://nvd.nist.gov/vuln/detail/CVE-2022-32208 [ 21 ] CVE-2022-32221 https://nvd.nist.gov/vuln/detail/CVE-2022-32221 [ 22 ] CVE-2022-35252 https://nvd.nist.gov/vuln/detail/CVE-2022-35252 [ 23 ] CVE-2022-35260 https://nvd.nist.gov/vuln/detail/CVE-2022-35260 [ 24 ] CVE-2022-42915 https://nvd.nist.gov/vuln/detail/CVE-2022-42915 [ 25 ] CVE-2022-42916 https://nvd.nist.gov/vuln/detail/CVE-2022-42916
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202212-01
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3
macOS Monterey 12.6.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213604.
AppleMobileFileIntegrity Available for: macOS Monterey Impact: An app may be able to access user-sensitive data Description: This issue was addressed by enabling hardened runtime. CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing (wojciechregula.blog)
curl Available for: macOS Monterey Impact: Multiple issues in curl Description: Multiple issues were addressed by updating to curl version 7.86.0. CVE-2022-42915 CVE-2022-42916 CVE-2022-32221 CVE-2022-35260
curl Available for: macOS Monterey Impact: Multiple issues in curl Description: Multiple issues were addressed by updating to curl version 7.85.0. CVE-2022-35252
dcerpc Available for: macOS Monterey Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco Talos
DiskArbitration Available for: macOS Monterey Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password Description: A logic issue was addressed with improved state management. CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)
DriverKit Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A type confusion issue was addressed with improved checks. CVE-2022-32915: Tommy Muir (@Muirey03)
Intel Graphics Driver Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved bounds checks. CVE-2023-23507: an anonymous researcher
Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2023-23504: Adam Doupé of ASU SEFCOM
Kernel Available for: macOS Monterey Impact: An app may be able to determine kernel memory layout Description: An information disclosure issue was addressed by removing the vulnerable code. CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. (@starlabs_sg)
PackageKit Available for: macOS Monterey Impact: An app may be able to gain root privileges Description: A logic issue was addressed with improved state management. CVE-2023-23497: Mickey Jin (@patch1t)
Screen Time Available for: macOS Monterey Impact: An app may be able to access information about a user’s contacts Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-23505: Wojciech Regula of SecuRing (wojciechregula.blog)
Weather Available for: macOS Monterey Impact: An app may be able to bypass Privacy preferences Description: The issue was addressed with improved memory handling. CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an anonymous researcher
WebKit Available for: macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 248268 CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE WebKit Bugzilla: 248268 CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE
Windows Installer Available for: macOS Monterey Impact: An app may be able to bypass Privacy preferences Description: The issue was addressed with improved memory handling. CVE-2023-23508: Mickey Jin (@patch1t)
Additional recognition
Kernel We would like to acknowledge Nick Stenning of Replicate for their assistance.
macOS Monterey 12.6.3 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222.
The following advisory data is extracted from:
https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0428.json
Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. Summary:
Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General Availability release images, which fix security issues and update container images. Description:
Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.
This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/
Security Fix(es): * CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command * CVE-2023-32314 vm2: Sandbox Escape * CVE-2023-32313 vm2: Inspect Manipulation
- Solution:
For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation for details on how to install the images:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/install/installing#installing-while-connected-online
- Bugs fixed (https://bugzilla.redhat.com/):
2187525 - CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command 2208376 - CVE-2023-32314 vm2: Sandbox Escape 2208377 - CVE-2023-32313 vm2: Inspect Manipulation
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Low: curl security update Advisory ID: RHSA-2023:2478-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2478 Issue date: 2023-05-09 CVE Names: CVE-2022-35252 CVE-2022-43552 ==================================================================== 1. Summary:
An update for curl is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
-
curl: Incorrect handling of control code characters in cookies (CVE-2022-35252)
-
curl: Use-after-free triggered by an HTTP proxy deny response (CVE-2022-43552)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2120718 - CVE-2022-35252 curl: Incorrect handling of control code characters in cookies 2152652 - CVE-2022-43552 curl: Use-after-free triggered by an HTTP proxy deny response
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
aarch64: curl-debuginfo-7.76.1-23.el9.aarch64.rpm curl-debugsource-7.76.1-23.el9.aarch64.rpm curl-minimal-debuginfo-7.76.1-23.el9.aarch64.rpm libcurl-debuginfo-7.76.1-23.el9.aarch64.rpm libcurl-devel-7.76.1-23.el9.aarch64.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.aarch64.rpm
ppc64le: curl-debuginfo-7.76.1-23.el9.ppc64le.rpm curl-debugsource-7.76.1-23.el9.ppc64le.rpm curl-minimal-debuginfo-7.76.1-23.el9.ppc64le.rpm libcurl-debuginfo-7.76.1-23.el9.ppc64le.rpm libcurl-devel-7.76.1-23.el9.ppc64le.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.ppc64le.rpm
s390x: curl-debuginfo-7.76.1-23.el9.s390x.rpm curl-debugsource-7.76.1-23.el9.s390x.rpm curl-minimal-debuginfo-7.76.1-23.el9.s390x.rpm libcurl-debuginfo-7.76.1-23.el9.s390x.rpm libcurl-devel-7.76.1-23.el9.s390x.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.s390x.rpm
x86_64: curl-debuginfo-7.76.1-23.el9.i686.rpm curl-debuginfo-7.76.1-23.el9.x86_64.rpm curl-debugsource-7.76.1-23.el9.i686.rpm curl-debugsource-7.76.1-23.el9.x86_64.rpm curl-minimal-debuginfo-7.76.1-23.el9.i686.rpm curl-minimal-debuginfo-7.76.1-23.el9.x86_64.rpm libcurl-debuginfo-7.76.1-23.el9.i686.rpm libcurl-debuginfo-7.76.1-23.el9.x86_64.rpm libcurl-devel-7.76.1-23.el9.i686.rpm libcurl-devel-7.76.1-23.el9.x86_64.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.i686.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 9):
Source: curl-7.76.1-23.el9.src.rpm
aarch64: curl-7.76.1-23.el9.aarch64.rpm curl-debuginfo-7.76.1-23.el9.aarch64.rpm curl-debugsource-7.76.1-23.el9.aarch64.rpm curl-minimal-7.76.1-23.el9.aarch64.rpm curl-minimal-debuginfo-7.76.1-23.el9.aarch64.rpm libcurl-7.76.1-23.el9.aarch64.rpm libcurl-debuginfo-7.76.1-23.el9.aarch64.rpm libcurl-minimal-7.76.1-23.el9.aarch64.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.aarch64.rpm
ppc64le: curl-7.76.1-23.el9.ppc64le.rpm curl-debuginfo-7.76.1-23.el9.ppc64le.rpm curl-debugsource-7.76.1-23.el9.ppc64le.rpm curl-minimal-7.76.1-23.el9.ppc64le.rpm curl-minimal-debuginfo-7.76.1-23.el9.ppc64le.rpm libcurl-7.76.1-23.el9.ppc64le.rpm libcurl-debuginfo-7.76.1-23.el9.ppc64le.rpm libcurl-minimal-7.76.1-23.el9.ppc64le.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.ppc64le.rpm
s390x: curl-7.76.1-23.el9.s390x.rpm curl-debuginfo-7.76.1-23.el9.s390x.rpm curl-debugsource-7.76.1-23.el9.s390x.rpm curl-minimal-7.76.1-23.el9.s390x.rpm curl-minimal-debuginfo-7.76.1-23.el9.s390x.rpm libcurl-7.76.1-23.el9.s390x.rpm libcurl-debuginfo-7.76.1-23.el9.s390x.rpm libcurl-minimal-7.76.1-23.el9.s390x.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.s390x.rpm
x86_64: curl-7.76.1-23.el9.x86_64.rpm curl-debuginfo-7.76.1-23.el9.i686.rpm curl-debuginfo-7.76.1-23.el9.x86_64.rpm curl-debugsource-7.76.1-23.el9.i686.rpm curl-debugsource-7.76.1-23.el9.x86_64.rpm curl-minimal-7.76.1-23.el9.x86_64.rpm curl-minimal-debuginfo-7.76.1-23.el9.i686.rpm curl-minimal-debuginfo-7.76.1-23.el9.x86_64.rpm libcurl-7.76.1-23.el9.i686.rpm libcurl-7.76.1-23.el9.x86_64.rpm libcurl-debuginfo-7.76.1-23.el9.i686.rpm libcurl-debuginfo-7.76.1-23.el9.x86_64.rpm libcurl-minimal-7.76.1-23.el9.i686.rpm libcurl-minimal-7.76.1-23.el9.x86_64.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.i686.rpm libcurl-minimal-debuginfo-7.76.1-23.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-35252 https://access.redhat.com/security/cve/CVE-2022-43552 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZFo0V9zjgjWX9erEAQhmTw/9FUwLCGRKCmddNVTMAaay54EPggJFOPKx nN06YIqiK5arkX4SD58YZrX9J0gUZcwGs6s5WO35pG3F+qJXhe8E8fbzavqRG5NB oxG+pDC5+6xQxK41tkuLYJoUhF1w4yG8SuMSzroLcpbut/MAjKGGw4qgyNGit1Su xFGrDTyFxtj+tUZIQCil0HAqlXswQ7G2ukB9kQBpxNRfR0V2ANfmfkkGj8+xWauh L1PcaDezNWgAbgWbuf3mHNiwDMxWsNfcwCbx3P8sF+vRe7q5RdIFNL1oXJkPxQVy C6L29KcaLYxToNmUNyrOncWAj8KSlrDngVq3NXnG34lVzqz2t/ouc/0lX4Jc9qTL mGwYoXvlTqQgV4hGQPfDufApaukxgZfcSidSfqlNt1amYYNiYcvIyf15dht87ipB 27ahZWDKvunB4gqMG62XNHyiu9bKmDCyL57ggUBt3wxJ7H9M/OgjsI7C/i/10SMT D75GjYaU2TWyGLd4SvbV6/3pA3zAZ0Ffqc66uANwfBXC7jFd2/ykEBir3vJYTq17 r2YWYgH2sma5kwb7ZHQhLKk+N2a0g1KX+Mr0V2wJ+yAYwkbz6wu/BVDXstBFkumJ /iKmtOn0Mk07wo/3wvWu5M4tk4kZzmLzs1/ybH3GWOUbFUxbqgOos3/0Vi/uSW88 Yxf4bV/uBmU=HlZ2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description:
VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying the VolSync operator, it can create and maintain copies of your persistent data.
For more information about VolSync, see:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/add-ons-overview#volsync
or the VolSync open source community website at: https://volsync.readthedocs.io/en/stable/.
Security fix(es): * CVE-2023-3089 openshift: OCP & FIPS mode
- Bugs fixed (https://bugzilla.redhat.com/):
2212085 - CVE-2023-3089 openshift: OCP & FIPS mode
5
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "universal forwarder",
"scope": "eq",
"trust": 1.0,
"vendor": "splunk",
"version": "9.1.0"
},
{
"_id": null,
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "bootstrap os",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "h700s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "solidfire",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "universal forwarder",
"scope": "lt",
"trust": 1.0,
"vendor": "splunk",
"version": "9.0.6"
},
{
"_id": null,
"model": "h500s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "macos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.6.3"
},
{
"_id": null,
"model": "universal forwarder",
"scope": "gte",
"trust": 1.0,
"vendor": "splunk",
"version": "9.0.0"
},
{
"_id": null,
"model": "universal forwarder",
"scope": "lt",
"trust": 1.0,
"vendor": "splunk",
"version": "8.2.12"
},
{
"_id": null,
"model": "curl",
"scope": "lt",
"trust": 1.0,
"vendor": "haxx",
"version": "7.85.0"
},
{
"_id": null,
"model": "hci management node",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "element software",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "macos",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "12.0.0"
},
{
"_id": null,
"model": "h410s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "h300s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "macos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.7.3"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"_id": null,
"model": "universal forwarder",
"scope": "gte",
"trust": 1.0,
"vendor": "splunk",
"version": "8.2.0"
},
{
"_id": null,
"model": "macos",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "11.0"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-35252"
}
]
},
"credits": {
"_id": null,
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "176746"
},
{
"db": "PACKETSTORM",
"id": "172378"
},
{
"db": "PACKETSTORM",
"id": "172587"
},
{
"db": "PACKETSTORM",
"id": "172195"
},
{
"db": "PACKETSTORM",
"id": "174080"
}
],
"trust": 0.5
},
"cve": "CVE-2022-35252",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.2,
"id": "CVE-2022-35252",
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-35252",
"trust": 1.0,
"value": "LOW"
},
{
"author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"id": "CVE-2022-35252",
"trust": 1.0,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-202208-4523",
"trust": 0.6,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-4523"
},
{
"db": "NVD",
"id": "CVE-2022-35252"
},
{
"db": "NVD",
"id": "CVE-2022-35252"
}
]
},
"description": {
"_id": null,
"data": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings. A security vulnerability exists in curl versions 4.9 through 7.84. ==========================================================================\nUbuntu Security Notice USN-5587-1\nSeptember 01, 2022\n\ncurl vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.04 LTS\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 ESM\n- Ubuntu 14.04 ESM\n\nSummary:\n\ncurl could be denied access to a HTTP(S) content if it recieved\na specially crafted cookie. \n\nSoftware Description:\n- curl: HTTP, HTTPS, and FTP client and client libraries\n\nDetails:\n\nAxel Chong discovered that when curl accepted and sent back\ncookies containing control bytes that a HTTP(S) server might\nreturn a 400 (Bad Request Error) response. A malicious cookie\nhost could possibly use this to cause denial-of-service. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.04 LTS:\ncurl 7.81.0-1ubuntu1.4\nlibcurl3-gnutls 7.81.0-1ubuntu1.4\nlibcurl3-nss 7.81.0-1ubuntu1.4\nlibcurl4 7.81.0-1ubuntu1.4\n\nUbuntu 20.04 LTS:\ncurl 7.68.0-1ubuntu2.13\nlibcurl3-gnutls 7.68.0-1ubuntu2.13\nlibcurl3-nss 7.68.0-1ubuntu2.13\nlibcurl4 7.68.0-1ubuntu2.13\n\nUbuntu 18.04 LTS:\ncurl 7.58.0-2ubuntu3.20\nlibcurl3-gnutls 7.58.0-2ubuntu3.20\nlibcurl3-nss 7.58.0-2ubuntu3.20\nlibcurl4 7.58.0-2ubuntu3.20\n\nUbuntu 16.04 ESM:\ncurl 7.47.0-1ubuntu2.19+esm5\nlibcurl3 7.47.0-1ubuntu2.19+esm5\nlibcurl3-gnutls 7.47.0-1ubuntu2.19+esm5\nlibcurl3-nss 7.47.0-1ubuntu2.19+esm5\n\nUbuntu 14.04 ESM:\ncurl 7.35.0-1ubuntu2.20+esm12\nlibcurl3 7.35.0-1ubuntu2.20+esm12\nlibcurl3-gnutls 7.35.0-1ubuntu2.20+esm12\nlibcurl3-nss 7.35.0-1ubuntu2.20+esm12\n\nIn general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202212-01\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: curl: Multiple Vulnerabilities\n Date: December 19, 2022\n Bugs: #803308, #813270, #841302, #843824, #854708, #867679, #878365\n ID: 202212-01\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been found in curl, the worst of which\ncould result in arbitrary code execution. \n\nBackground\n=========\nA command line tool and library for transferring data with URLs. \n\nAffected packages\n================\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-misc/curl \u003c 7.86.0 \u003e= 7.86.0\n\nDescription\n==========\nMultiple vulnerabilities have been discovered in curl. Please review the\nCVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n=========\nThere is no known workaround at this time. \n\nResolution\n=========\nAll curl users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-misc/curl-7.86.0\"\n\nReferences\n=========\n[ 1 ] CVE-2021-22922\n https://nvd.nist.gov/vuln/detail/CVE-2021-22922\n[ 2 ] CVE-2021-22923\n https://nvd.nist.gov/vuln/detail/CVE-2021-22923\n[ 3 ] CVE-2021-22925\n https://nvd.nist.gov/vuln/detail/CVE-2021-22925\n[ 4 ] CVE-2021-22926\n https://nvd.nist.gov/vuln/detail/CVE-2021-22926\n[ 5 ] CVE-2021-22945\n https://nvd.nist.gov/vuln/detail/CVE-2021-22945\n[ 6 ] CVE-2021-22946\n https://nvd.nist.gov/vuln/detail/CVE-2021-22946\n[ 7 ] CVE-2021-22947\n https://nvd.nist.gov/vuln/detail/CVE-2021-22947\n[ 8 ] CVE-2022-22576\n https://nvd.nist.gov/vuln/detail/CVE-2022-22576\n[ 9 ] CVE-2022-27774\n https://nvd.nist.gov/vuln/detail/CVE-2022-27774\n[ 10 ] CVE-2022-27775\n https://nvd.nist.gov/vuln/detail/CVE-2022-27775\n[ 11 ] CVE-2022-27776\n https://nvd.nist.gov/vuln/detail/CVE-2022-27776\n[ 12 ] CVE-2022-27779\n https://nvd.nist.gov/vuln/detail/CVE-2022-27779\n[ 13 ] CVE-2022-27780\n https://nvd.nist.gov/vuln/detail/CVE-2022-27780\n[ 14 ] CVE-2022-27781\n https://nvd.nist.gov/vuln/detail/CVE-2022-27781\n[ 15 ] CVE-2022-27782\n https://nvd.nist.gov/vuln/detail/CVE-2022-27782\n[ 16 ] CVE-2022-30115\n https://nvd.nist.gov/vuln/detail/CVE-2022-30115\n[ 17 ] CVE-2022-32205\n https://nvd.nist.gov/vuln/detail/CVE-2022-32205\n[ 18 ] CVE-2022-32206\n https://nvd.nist.gov/vuln/detail/CVE-2022-32206\n[ 19 ] CVE-2022-32207\n https://nvd.nist.gov/vuln/detail/CVE-2022-32207\n[ 20 ] CVE-2022-32208\n https://nvd.nist.gov/vuln/detail/CVE-2022-32208\n[ 21 ] CVE-2022-32221\n https://nvd.nist.gov/vuln/detail/CVE-2022-32221\n[ 22 ] CVE-2022-35252\n https://nvd.nist.gov/vuln/detail/CVE-2022-35252\n[ 23 ] CVE-2022-35260\n https://nvd.nist.gov/vuln/detail/CVE-2022-35260\n[ 24 ] CVE-2022-42915\n https://nvd.nist.gov/vuln/detail/CVE-2022-42915\n[ 25 ] CVE-2022-42916\n https://nvd.nist.gov/vuln/detail/CVE-2022-42916\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202212-01\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2023-01-23-5 macOS Monterey 12.6.3\n\nmacOS Monterey 12.6.3 addresses the following issues. \nInformation about the security content is also available at\nhttps://support.apple.com/HT213604. \n\nAppleMobileFileIntegrity\nAvailable for: macOS Monterey\nImpact: An app may be able to access user-sensitive data\nDescription: This issue was addressed by enabling hardened runtime. \nCVE-2023-23499: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n(wojciechregula.blog)\n\ncurl\nAvailable for: macOS Monterey\nImpact: Multiple issues in curl\nDescription: Multiple issues were addressed by updating to curl\nversion 7.86.0. \nCVE-2022-42915\nCVE-2022-42916\nCVE-2022-32221\nCVE-2022-35260\n\ncurl\nAvailable for: macOS Monterey\nImpact: Multiple issues in curl\nDescription: Multiple issues were addressed by updating to curl\nversion 7.85.0. \nCVE-2022-35252\n\ndcerpc\nAvailable for: macOS Monterey\nImpact: Mounting a maliciously crafted Samba network share may lead\nto arbitrary code execution\nDescription: A buffer overflow issue was addressed with improved\nmemory handling. \nCVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco\nTalos\n\nDiskArbitration\nAvailable for: macOS Monterey\nImpact: An encrypted volume may be unmounted and remounted by a\ndifferent user without prompting for the password\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)\n\nDriverKit\nAvailable for: macOS Monterey\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: A type confusion issue was addressed with improved\nchecks. \nCVE-2022-32915: Tommy Muir (@Muirey03)\n\nIntel Graphics Driver\nAvailable for: macOS Monterey\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: The issue was addressed with improved bounds checks. \nCVE-2023-23507: an anonymous researcher\n\nKernel\nAvailable for: macOS Monterey\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: The issue was addressed with improved memory handling. \nCVE-2023-23504: Adam Doup\u00e9 of ASU SEFCOM\n\nKernel\nAvailable for: macOS Monterey\nImpact: An app may be able to determine kernel memory layout\nDescription: An information disclosure issue was addressed by\nremoving the vulnerable code. \nCVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. (@starlabs_sg)\n\nPackageKit\nAvailable for: macOS Monterey\nImpact: An app may be able to gain root privileges\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2023-23497: Mickey Jin (@patch1t)\n\nScreen Time\nAvailable for: macOS Monterey\nImpact: An app may be able to access information about a user\u2019s\ncontacts\nDescription: A privacy issue was addressed with improved private data\nredaction for log entries. \nCVE-2023-23505: Wojciech Regula of SecuRing (wojciechregula.blog)\n\nWeather\nAvailable for: macOS Monterey\nImpact: An app may be able to bypass Privacy preferences\nDescription: The issue was addressed with improved memory handling. \nCVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an\nanonymous researcher\n\nWebKit\nAvailable for: macOS Monterey\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: The issue was addressed with improved memory handling. \nWebKit Bugzilla: 248268\nCVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park\n(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),\nJunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE\nWebKit Bugzilla: 248268\nCVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park\n(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),\nJunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE\n\nWindows Installer\nAvailable for: macOS Monterey\nImpact: An app may be able to bypass Privacy preferences\nDescription: The issue was addressed with improved memory handling. \nCVE-2023-23508: Mickey Jin (@patch1t)\n\nAdditional recognition\n\nKernel\nWe would like to acknowledge Nick Stenning of Replicate for their\nassistance. \n\nmacOS Monterey 12.6.3 may be obtained from the Mac App Store or\nApple\u0027s Software Downloads web site:\nhttps://support.apple.com/downloads/\nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222. \n\nThe following advisory data is extracted from:\n\nhttps://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0428.json\n\nRed Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat\u0027s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. Summary:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.6.6 General\nAvailability release images, which fix security issues and update container\nimages. Description:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.6.6 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console\u2014with security policy built in. \n\nThis advisory contains the container images for Red Hat Advanced Cluster\nManagement for Kubernetes, which fix several bugs. See the following\nRelease Notes documentation, which will be updated shortly for this\nrelease, for additional details about this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/\n\nSecurity Fix(es):\n* CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command\n* CVE-2023-32314 vm2: Sandbox Escape\n* CVE-2023-32313 vm2: Inspect Manipulation\n\n3. Solution:\n\nFor Red Hat Advanced Cluster Management for Kubernetes, see the following\ndocumentation for details on how to install the images:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/install/installing#installing-while-connected-online\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2187525 - CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command\n2208376 - CVE-2023-32314 vm2: Sandbox Escape\n2208377 - CVE-2023-32313 vm2: Inspect Manipulation\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Low: curl security update\nAdvisory ID: RHSA-2023:2478-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:2478\nIssue date: 2023-05-09\nCVE Names: CVE-2022-35252 CVE-2022-43552\n====================================================================\n1. Summary:\n\nAn update for curl is now available for Red Hat Enterprise Linux 9. \n\nRed Hat Product Security has rated this update as having a security impact\nof Low. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe curl packages provide the libcurl library and the curl utility for\ndownloading files from servers using various protocols, including HTTP,\nFTP, and LDAP. \n\nSecurity Fix(es):\n\n* curl: Incorrect handling of control code characters in cookies\n(CVE-2022-35252)\n\n* curl: Use-after-free triggered by an HTTP proxy deny response\n(CVE-2022-43552)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 9.2 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2120718 - CVE-2022-35252 curl: Incorrect handling of control code characters in cookies\n2152652 - CVE-2022-43552 curl: Use-after-free triggered by an HTTP proxy deny response\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 9):\n\naarch64:\ncurl-debuginfo-7.76.1-23.el9.aarch64.rpm\ncurl-debugsource-7.76.1-23.el9.aarch64.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.aarch64.rpm\nlibcurl-debuginfo-7.76.1-23.el9.aarch64.rpm\nlibcurl-devel-7.76.1-23.el9.aarch64.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.aarch64.rpm\n\nppc64le:\ncurl-debuginfo-7.76.1-23.el9.ppc64le.rpm\ncurl-debugsource-7.76.1-23.el9.ppc64le.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.ppc64le.rpm\nlibcurl-debuginfo-7.76.1-23.el9.ppc64le.rpm\nlibcurl-devel-7.76.1-23.el9.ppc64le.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.ppc64le.rpm\n\ns390x:\ncurl-debuginfo-7.76.1-23.el9.s390x.rpm\ncurl-debugsource-7.76.1-23.el9.s390x.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.s390x.rpm\nlibcurl-debuginfo-7.76.1-23.el9.s390x.rpm\nlibcurl-devel-7.76.1-23.el9.s390x.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.s390x.rpm\n\nx86_64:\ncurl-debuginfo-7.76.1-23.el9.i686.rpm\ncurl-debuginfo-7.76.1-23.el9.x86_64.rpm\ncurl-debugsource-7.76.1-23.el9.i686.rpm\ncurl-debugsource-7.76.1-23.el9.x86_64.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.i686.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.x86_64.rpm\nlibcurl-debuginfo-7.76.1-23.el9.i686.rpm\nlibcurl-debuginfo-7.76.1-23.el9.x86_64.rpm\nlibcurl-devel-7.76.1-23.el9.i686.rpm\nlibcurl-devel-7.76.1-23.el9.x86_64.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.i686.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.x86_64.rpm\n\nRed Hat Enterprise Linux BaseOS (v. 9):\n\nSource:\ncurl-7.76.1-23.el9.src.rpm\n\naarch64:\ncurl-7.76.1-23.el9.aarch64.rpm\ncurl-debuginfo-7.76.1-23.el9.aarch64.rpm\ncurl-debugsource-7.76.1-23.el9.aarch64.rpm\ncurl-minimal-7.76.1-23.el9.aarch64.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.aarch64.rpm\nlibcurl-7.76.1-23.el9.aarch64.rpm\nlibcurl-debuginfo-7.76.1-23.el9.aarch64.rpm\nlibcurl-minimal-7.76.1-23.el9.aarch64.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.aarch64.rpm\n\nppc64le:\ncurl-7.76.1-23.el9.ppc64le.rpm\ncurl-debuginfo-7.76.1-23.el9.ppc64le.rpm\ncurl-debugsource-7.76.1-23.el9.ppc64le.rpm\ncurl-minimal-7.76.1-23.el9.ppc64le.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.ppc64le.rpm\nlibcurl-7.76.1-23.el9.ppc64le.rpm\nlibcurl-debuginfo-7.76.1-23.el9.ppc64le.rpm\nlibcurl-minimal-7.76.1-23.el9.ppc64le.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.ppc64le.rpm\n\ns390x:\ncurl-7.76.1-23.el9.s390x.rpm\ncurl-debuginfo-7.76.1-23.el9.s390x.rpm\ncurl-debugsource-7.76.1-23.el9.s390x.rpm\ncurl-minimal-7.76.1-23.el9.s390x.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.s390x.rpm\nlibcurl-7.76.1-23.el9.s390x.rpm\nlibcurl-debuginfo-7.76.1-23.el9.s390x.rpm\nlibcurl-minimal-7.76.1-23.el9.s390x.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.s390x.rpm\n\nx86_64:\ncurl-7.76.1-23.el9.x86_64.rpm\ncurl-debuginfo-7.76.1-23.el9.i686.rpm\ncurl-debuginfo-7.76.1-23.el9.x86_64.rpm\ncurl-debugsource-7.76.1-23.el9.i686.rpm\ncurl-debugsource-7.76.1-23.el9.x86_64.rpm\ncurl-minimal-7.76.1-23.el9.x86_64.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.i686.rpm\ncurl-minimal-debuginfo-7.76.1-23.el9.x86_64.rpm\nlibcurl-7.76.1-23.el9.i686.rpm\nlibcurl-7.76.1-23.el9.x86_64.rpm\nlibcurl-debuginfo-7.76.1-23.el9.i686.rpm\nlibcurl-debuginfo-7.76.1-23.el9.x86_64.rpm\nlibcurl-minimal-7.76.1-23.el9.i686.rpm\nlibcurl-minimal-7.76.1-23.el9.x86_64.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.i686.rpm\nlibcurl-minimal-debuginfo-7.76.1-23.el9.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-35252\nhttps://access.redhat.com/security/cve/CVE-2022-43552\nhttps://access.redhat.com/security/updates/classification/#low\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZFo0V9zjgjWX9erEAQhmTw/9FUwLCGRKCmddNVTMAaay54EPggJFOPKx\nnN06YIqiK5arkX4SD58YZrX9J0gUZcwGs6s5WO35pG3F+qJXhe8E8fbzavqRG5NB\noxG+pDC5+6xQxK41tkuLYJoUhF1w4yG8SuMSzroLcpbut/MAjKGGw4qgyNGit1Su\nxFGrDTyFxtj+tUZIQCil0HAqlXswQ7G2ukB9kQBpxNRfR0V2ANfmfkkGj8+xWauh\nL1PcaDezNWgAbgWbuf3mHNiwDMxWsNfcwCbx3P8sF+vRe7q5RdIFNL1oXJkPxQVy\nC6L29KcaLYxToNmUNyrOncWAj8KSlrDngVq3NXnG34lVzqz2t/ouc/0lX4Jc9qTL\nmGwYoXvlTqQgV4hGQPfDufApaukxgZfcSidSfqlNt1amYYNiYcvIyf15dht87ipB\n27ahZWDKvunB4gqMG62XNHyiu9bKmDCyL57ggUBt3wxJ7H9M/OgjsI7C/i/10SMT\nD75GjYaU2TWyGLd4SvbV6/3pA3zAZ0Ffqc66uANwfBXC7jFd2/ykEBir3vJYTq17\nr2YWYgH2sma5kwb7ZHQhLKk+N2a0g1KX+Mr0V2wJ+yAYwkbz6wu/BVDXstBFkumJ\n/iKmtOn0Mk07wo/3wvWu5M4tk4kZzmLzs1/ybH3GWOUbFUxbqgOos3/0Vi/uSW88\nYxf4bV/uBmU=HlZ2\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Description:\n\nVolSync is a Kubernetes operator that enables asynchronous replication of\npersistent volumes within a cluster, or across clusters. After deploying\nthe VolSync operator, it can create and maintain copies of your persistent\ndata. \n\nFor more information about VolSync, see:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/add-ons-overview#volsync\n\nor the VolSync open source community website at:\nhttps://volsync.readthedocs.io/en/stable/. \n\nSecurity fix(es): * CVE-2023-3089 openshift: OCP \u0026 FIPS mode\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n2212085 - CVE-2023-3089 openshift: OCP \u0026 FIPS mode\n\n5",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-35252"
},
{
"db": "VULHUB",
"id": "VHN-428403"
},
{
"db": "VULMON",
"id": "CVE-2022-35252"
},
{
"db": "PACKETSTORM",
"id": "168239"
},
{
"db": "PACKETSTORM",
"id": "170303"
},
{
"db": "PACKETSTORM",
"id": "170697"
},
{
"db": "PACKETSTORM",
"id": "170698"
},
{
"db": "PACKETSTORM",
"id": "176746"
},
{
"db": "PACKETSTORM",
"id": "172378"
},
{
"db": "PACKETSTORM",
"id": "172587"
},
{
"db": "PACKETSTORM",
"id": "172195"
},
{
"db": "PACKETSTORM",
"id": "174080"
}
],
"trust": 1.89
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2022-35252",
"trust": 2.7
},
{
"db": "HACKERONE",
"id": "1613943",
"trust": 1.7
},
{
"db": "PACKETSTORM",
"id": "168239",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4523",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "170698",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2022.4343",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.6333",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.4375",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3732",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.2163",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3143",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3060",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.4374",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-428403",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2022-35252",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170303",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170697",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "176746",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172378",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172587",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172195",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "174080",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-428403"
},
{
"db": "VULMON",
"id": "CVE-2022-35252"
},
{
"db": "PACKETSTORM",
"id": "168239"
},
{
"db": "PACKETSTORM",
"id": "170303"
},
{
"db": "PACKETSTORM",
"id": "170697"
},
{
"db": "PACKETSTORM",
"id": "170698"
},
{
"db": "PACKETSTORM",
"id": "176746"
},
{
"db": "PACKETSTORM",
"id": "172378"
},
{
"db": "PACKETSTORM",
"id": "172587"
},
{
"db": "PACKETSTORM",
"id": "172195"
},
{
"db": "PACKETSTORM",
"id": "174080"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4523"
},
{
"db": "NVD",
"id": "CVE-2022-35252"
}
]
},
"id": "VAR-202208-2263",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-428403"
}
],
"trust": 0.01
},
"last_update_date": "2026-03-09T23:13:33.194000Z",
"patch": {
"_id": null,
"data": [
{
"title": "curl Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=206230"
},
{
"title": "Debian CVElist Bug Report Logs: curl: CVE-2022-35252: control code in cookie denial of service",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=f071eb46e3ac96bc3c50d0406c2d0685"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/JtMotoX/docker-trivy "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-35252"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4523"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-20",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-35252"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202212-01"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20220930-0005/"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213603"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213604"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2023/jan/20"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2023/jan/21"
},
{
"trust": 1.7,
"url": "https://hackerone.com/reports/1613943"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/security/cve/cve-2022-35252"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-35252"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170698/apple-security-advisory-2023-01-23-6.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3143"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.2163"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3060"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-35252/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3732"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht213604"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/curl-denial-of-service-via-cookies-control-codes-39156"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168239/ubuntu-security-notice-usn-5587-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4374"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4343"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4375"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.6333"
},
{
"trust": 0.4,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.4,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2022-43552"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-43552"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-35260"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42916"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42915"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32221"
},
{
"trust": 0.2,
"url": "https://support.apple.com/downloads/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23497"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23505"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23499"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23508"
},
{
"trust": 0.2,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.2,
"url": "https://support.apple.com/en-us/ht201222."
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2023-0361"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2023-27535"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-36227"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018831"
},
{
"trust": 0.1,
"url": "https://github.com/jtmotox/docker-trivy"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.20"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5587-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.4"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.13"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22922"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27782"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27776"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27779"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30115"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22576"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22925"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22926"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27781"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22945"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32208"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32206"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32207"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27774"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27775"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32205"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27780"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22923"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22946"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22947"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23507"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23493"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23504"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32915"
},
{
"trust": 0.1,
"url": "https://support.apple.com/ht213604."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23502"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23518"
},
{
"trust": 0.1,
"url": "https://support.apple.com/ht213603."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23517"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23513"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2152652"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2024:0428"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0428.json"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179073"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2120718"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179092"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252030"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196793"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2963"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3619"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-41674"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42721"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30594"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2196"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3625"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-43750"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30594"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-4129"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-41218"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-3239"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-3522"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-26341"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3239"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-25815"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42722"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1679"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2663"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3707"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-1582"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1462"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-22490"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-3028"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-20141"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-32314"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-47929"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-39188"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2663"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-32313"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3623"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-1999"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-26341"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3566"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1789"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3627"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1789"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-20141"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-28856"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2196"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-23454"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-25265"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3524"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-39189"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33656"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3970"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3028"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3567"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33656"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0394"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0461"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33655"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-25652"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33655"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:3326"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3628"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3564"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-1195"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/install/installing#installing-while-connected-online"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42720"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-23946"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42703"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25265"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3522"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-29007"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1462"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1679"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2478"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1667"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-2283"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0361"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-24736"
},
{
"trust": 0.1,
"url": "https://volsync.readthedocs.io/en/stable/."
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:4576"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-38408"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24736"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/add-ons-overview#volsync"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2283"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/add-ons-overview#volsync-rep"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-3089"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-24329"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-1667"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-26604"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/vulnerabilities/rhsb-2023-001"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-24329"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-27535"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-38408"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-3089"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-26604"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-36227"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-428403"
},
{
"db": "VULMON",
"id": "CVE-2022-35252"
},
{
"db": "PACKETSTORM",
"id": "168239"
},
{
"db": "PACKETSTORM",
"id": "170303"
},
{
"db": "PACKETSTORM",
"id": "170697"
},
{
"db": "PACKETSTORM",
"id": "170698"
},
{
"db": "PACKETSTORM",
"id": "176746"
},
{
"db": "PACKETSTORM",
"id": "172378"
},
{
"db": "PACKETSTORM",
"id": "172587"
},
{
"db": "PACKETSTORM",
"id": "172195"
},
{
"db": "PACKETSTORM",
"id": "174080"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4523"
},
{
"db": "NVD",
"id": "CVE-2022-35252"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-428403",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2022-35252",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "168239",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "170303",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "170697",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "170698",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "176746",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "172378",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "172587",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "172195",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "174080",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4523",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2022-35252",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2022-09-23T00:00:00",
"db": "VULHUB",
"id": "VHN-428403",
"ident": null
},
{
"date": "2022-09-02T15:21:41",
"db": "PACKETSTORM",
"id": "168239",
"ident": null
},
{
"date": "2022-12-19T13:48:31",
"db": "PACKETSTORM",
"id": "170303",
"ident": null
},
{
"date": "2023-01-24T16:41:07",
"db": "PACKETSTORM",
"id": "170697",
"ident": null
},
{
"date": "2023-01-24T16:41:28",
"db": "PACKETSTORM",
"id": "170698",
"ident": null
},
{
"date": "2024-01-26T15:24:15",
"db": "PACKETSTORM",
"id": "176746",
"ident": null
},
{
"date": "2023-05-16T17:09:54",
"db": "PACKETSTORM",
"id": "172378",
"ident": null
},
{
"date": "2023-05-26T14:34:05",
"db": "PACKETSTORM",
"id": "172587",
"ident": null
},
{
"date": "2023-05-09T15:14:58",
"db": "PACKETSTORM",
"id": "172195",
"ident": null
},
{
"date": "2023-08-09T15:56:32",
"db": "PACKETSTORM",
"id": "174080",
"ident": null
},
{
"date": "2022-08-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-4523",
"ident": null
},
{
"date": "2022-09-23T14:15:12.323000",
"db": "NVD",
"id": "CVE-2022-35252",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2023-03-01T00:00:00",
"db": "VULHUB",
"id": "VHN-428403",
"ident": null
},
{
"date": "2023-06-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-4523",
"ident": null
},
{
"date": "2025-05-05T17:18:16.463000",
"db": "NVD",
"id": "CVE-2022-35252",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-4523"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "curl Security hole",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-4523"
}
],
"trust": 0.6
},
"type": {
"_id": null,
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-4523"
}
],
"trust": 0.6
}
}
VDE-2023-001
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2023-02-14 07:50 - Updated: 2025-06-05 13:28Summary
PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware
Notes
Summary: A new LTS Firmware release fixes known vulnerabilities in used open-source libraries.
In addition, the following improvements have been implemented:
HMI
- Hardening against DoS attacks. - Hardening against memory leak problems in case of network attacks.
WBM
- Umlauts in the password of the 'User Manager' were not handled correctly. The password rule for upper and lower case was not followed. This could lead to unintentionally weaker passwords.- Hardening of WBM against Cross-Site-Scripting.
User Manager
- In security notifications 'SecurityToken' was always displayed as '0000000' when creating or modifying users.- Hardening of Trust and Identity Stores.
Impact: Please consult the CVE entries listed above.
Mitigation: Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Remediation: Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
8.1 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
CWE-20 - Improper Input Validation
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
7.5 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
7.5 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
9.8 (Critical)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Git is an open source, scalable, distributed revision control system. 'git shell' is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an 'int' to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to 'execv()', it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to 'git shell' as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling 'git shell' access via remote logins is a viable short-term workaround.
8.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's '$GIT_DIR/objects' directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via '--no-hardlinks'). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the '--recurse-submodules' option. Git does not create symbolic links in the '$GIT_DIR/objects' directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the '--local' optimization when on a shared machine, either by passing the '--no-local' option to 'git clone' or cloning from a URL that uses the 'file://' scheme. Alternatively, avoid cloning repositories from untrusted sources with '--recurse-submodules' or run 'git config --global protocol.file.allow user'.
5.5 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
8.1 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.
7.5 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.
7.5 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.
6.6 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.
5.5 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
6.5 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
5.3 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
7.5 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.
7.5 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.
7.1 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Write to API in GitHub repository vim/vim prior to 9.0.0100.
5.5 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Use After Free in GitHub repository vim/vim prior to 9.0.0490.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
9.8 (Critical)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Use After Free in GitHub repository vim/vim prior to 9.0.0530.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
6.5 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.
5.5 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
5.9 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
A malicious server can serve excessive amounts of 'Set-Cookie:' headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on 'foo.example.com' can set cookies that also would match for 'bar.example.com', making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.
4.3 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Use After Free in GitHub repository vim/vim prior to 9.0.0579.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Use After Free in GitHub repository vim/vim prior to 9.0.0614.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.
7.5 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
9.8 (Critical)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Use After Free in GitHub repository vim/vim prior to 9.0.0046.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.
5.5 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
5.5 (Medium)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
7.1 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Use After Free in GitHub repository vim/vim prior to 9.0.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
7.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Vendor Fix
Update to the latest 2023.0.0 LTS Firmware Release.
PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — |
References
4 references
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A new LTS Firmware release fixes known vulnerabilities in used open-source libraries.\nIn addition, the following improvements\u00a0have been implemented:\nHMI\n- Hardening against DoS attacks. - Hardening against memory leak problems in case of network attacks.\nWBM\n- Umlauts in the password of the \u0027User Manager\u0027 were not handled correctly. The password rule for upper and lower case was not followed. This could lead to unintentionally weaker passwords.- Hardening of WBM against Cross-Site-Scripting.\nUser Manager\n- In security notifications \u0027SecurityToken\u0027 was always displayed as \u00270000000\u0027 when creating or modifying users.- Hardening of Trust and Identity Stores.",
"title": "Summary"
},
{
"category": "description",
"text": "Please consult the CVE entries listed above.",
"title": "Impact"
},
{
"category": "description",
"text": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "self",
"summary": "VDE-2023-001: PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-001/"
},
{
"category": "self",
"summary": "VDE-2023-001: PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-001.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://phoenixcontact.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Phoenix Contact GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
}
],
"title": "PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware",
"tracking": {
"aliases": [
"VDE-2023-001"
],
"current_release_date": "2025-06-05T13:28:12.000Z",
"generator": {
"date": "2025-05-08T11:33:36.410Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.25"
}
},
"id": "VDE-2023-001",
"initial_release_date": "2023-02-14T07:50:00.000Z",
"revision_history": [
{
"date": "2023-02-14T07:50:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-06-05T13:28:12.000Z",
"number": "2",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "AXC F 1152",
"product": {
"name": "AXC F 1152",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"1151412"
]
}
}
},
{
"category": "product_name",
"name": "AXC F 2152",
"product": {
"name": "AXC F 2152",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"2404267"
]
}
}
},
{
"category": "product_name",
"name": "AXC F 3152",
"product": {
"name": "AXC F 3152",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"1069208"
]
}
}
},
{
"category": "product_name",
"name": "BPC 9102S",
"product": {
"name": "BPC 9102S",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"1246285"
]
}
}
},
{
"category": "product_name",
"name": "RFC 4072R",
"product": {
"name": "RFC 4072R",
"product_id": "CSAFPID-11005",
"product_identification_helper": {
"model_numbers": [
"1136419"
]
}
}
},
{
"category": "product_name",
"name": "RFC 4072S",
"product": {
"name": "RFC 4072S",
"product_id": "CSAFPID-11006",
"product_identification_helper": {
"model_numbers": [
"1051328"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2023.0.0 LTS",
"product": {
"name": "Firmware \u003c2023.0.0 LTS",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "2023.0.0 LTS",
"product": {
"name": "Firmware 2023.0.0 LTS",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "PHOENIX CONTACT"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2023.0.0 LTS installed on AXC F 1152",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2023.0.0 LTS installed on AXC F 2152",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2023.0.0 LTS installed on AXC F 3152",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2023.0.0 LTS installed on BPC 9102S",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2023.0.0 LTS installed on RFC 4072R",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2023.0.0 LTS installed on RFC 4072S",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.0 LTS installed on AXC F 1152",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.0 LTS installed on AXC F 2152",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.0 LTS installed on AXC F 3152",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.0 LTS installed on BPC 9102S",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.0 LTS installed on RFC 4072R",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.0 LTS installed on RFC 4072S",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11006"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-30065",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "A use-after-free in Busybox 1.35-x\u0027s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-30065"
},
{
"cve": "CVE-2022-40674",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-40674"
},
{
"cve": "CVE-2022-35252",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"environmentalScore": 3.7,
"environmentalSeverity": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 3.7,
"temporalSeverity": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-35252"
},
{
"cve": "CVE-2022-43680",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-43680"
},
{
"cve": "CVE-2022-42916",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "description",
"text": "In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-42916"
},
{
"cve": "CVE-2022-1664",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "description",
"text": "Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-1664"
},
{
"cve": "CVE-2022-1304",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-1304"
},
{
"cve": "CVE-2022-29187",
"cwe": {
"id": "CWE-427",
"name": "Uncontrolled Search Path Element"
},
"notes": [
{
"category": "description",
"text": "Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-29187"
},
{
"cve": "CVE-2022-39260",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "Git is an open source, scalable, distributed revision control system. \u0027git shell\u0027 is a restricted login shell that can be used to implement Git\u0027s push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an \u0027int\u0027 to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to \u0027execv()\u0027, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to \u0027git shell\u0027 as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling \u0027git shell\u0027 access via remote logins is a viable short-term workaround.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-39260"
},
{
"cve": "CVE-2022-39253",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"notes": [
{
"category": "description",
"text": "Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source\u0027s \u0027$GIT_DIR/objects\u0027 directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via \u0027--no-hardlinks\u0027). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim\u0027s machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the \u0027--recurse-submodules\u0027 option. Git does not create symbolic links in the \u0027$GIT_DIR/objects\u0027 directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the \u0027--local\u0027 optimization when on a shared machine, either by passing the \u0027--no-local\u0027 option to \u0027git clone\u0027 or cloning from a URL that uses the \u0027file://\u0027 scheme. Alternatively, avoid cloning repositories from untrusted sources with \u0027--recurse-submodules\u0027 or run \u0027git config --global protocol.file.allow user\u0027.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-39253"
},
{
"cve": "CVE-2022-42915",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"notes": [
{
"category": "description",
"text": "curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-42915"
},
{
"cve": "CVE-2022-2509",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"notes": [
{
"category": "description",
"text": "A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2509"
},
{
"cve": "CVE-2021-46828",
"cwe": {
"id": "CWE-755",
"name": "Improper Handling of Exceptional Conditions"
},
"notes": [
{
"category": "description",
"text": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2021-46828"
},
{
"cve": "CVE-2022-40304",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"notes": [
{
"category": "description",
"text": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-40304"
},
{
"cve": "CVE-2022-1015",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.6,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.6,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-1015"
},
{
"cve": "CVE-2022-1016",
"cwe": {
"id": "CWE-909",
"name": "Missing Initialization of Resource"
},
"notes": [
{
"category": "description",
"text": "A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle \u0027return\u0027 with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-1016"
},
{
"cve": "CVE-2022-1348",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "description",
"text": "A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-1348"
},
{
"cve": "CVE-2022-2097",
"cwe": {
"id": "CWE-327",
"name": "Use of a Broken or Risky Cryptographic Algorithm"
},
"notes": [
{
"category": "description",
"text": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn\u0027t written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2097"
},
{
"cve": "CVE-2022-42919",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "description",
"text": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-42919"
},
{
"cve": "CVE-2002-20001",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "description",
"text": "The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2002-20001"
},
{
"cve": "CVE-2022-40617",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "description",
"text": "strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker\u0027s control) that doesn\u0027t properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-40617"
},
{
"cve": "CVE-2022-43995",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-43995"
},
{
"cve": "CVE-2022-2522",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2522"
},
{
"cve": "CVE-2022-2571",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2571"
},
{
"cve": "CVE-2022-2580",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2580"
},
{
"cve": "CVE-2022-2581",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2581"
},
{
"cve": "CVE-2022-2598",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Write to API in GitHub repository vim/vim prior to 9.0.0100.\n\n",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2598"
},
{
"cve": "CVE-2022-3234",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3234"
},
{
"cve": "CVE-2022-3235",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "Use After Free in GitHub repository vim/vim prior to 9.0.0490.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3235"
},
{
"cve": "CVE-2022-32207",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"notes": [
{
"category": "description",
"text": "When curl \u003c 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-32207"
},
{
"cve": "CVE-2022-3256",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "Use After Free in GitHub repository vim/vim prior to 9.0.0530.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3256"
},
{
"cve": "CVE-2022-32206",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "description",
"text": "curl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-32206"
},
{
"cve": "CVE-2022-3278",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3278"
},
{
"cve": "CVE-2022-32208",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "When curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 5.9,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.9,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-32208"
},
{
"cve": "CVE-2022-3296",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3296"
},
{
"cve": "CVE-2022-32205",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "description",
"text": "A malicious server can serve excessive amounts of \u0027Set-Cookie:\u0027 headers in a HTTP response to curl and curl \u003c 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven\u0027t expired. Due to cookie matching rules, a server on \u0027foo.example.com\u0027 can set cookies that also would match for \u0027bar.example.com\u0027, making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 4.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 4.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-32205"
},
{
"cve": "CVE-2022-3297",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "Use After Free in GitHub repository vim/vim prior to 9.0.0579.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3297"
},
{
"cve": "CVE-2022-3324",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3324"
},
{
"cve": "CVE-2022-3352",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "Use After Free in GitHub repository vim/vim prior to 9.0.0614.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3352"
},
{
"cve": "CVE-2022-3705",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "description",
"text": "A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-3705"
},
{
"cve": "CVE-2022-37434",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-37434"
},
{
"cve": "CVE-2022-1927",
"cwe": {
"id": "CWE-126",
"name": "Buffer Over-read"
},
"notes": [
{
"category": "description",
"text": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-1927"
},
{
"cve": "CVE-2022-1942",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-1942"
},
{
"cve": "CVE-2022-2129",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2129"
},
{
"cve": "CVE-2022-2175",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2175"
},
{
"cve": "CVE-2022-2182",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2182"
},
{
"cve": "CVE-2022-2183",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2183"
},
{
"cve": "CVE-2022-2343",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2343"
},
{
"cve": "CVE-2022-2207",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2207"
},
{
"cve": "CVE-2022-2210",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2210"
},
{
"cve": "CVE-2022-2344",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2344"
},
{
"cve": "CVE-2022-2304",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2304"
},
{
"cve": "CVE-2022-2345",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "Use After Free in GitHub repository vim/vim prior to 9.0.0046.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2345"
},
{
"cve": "CVE-2022-2208",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2208"
},
{
"cve": "CVE-2022-2231",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2231"
},
{
"cve": "CVE-2022-2287",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2287"
},
{
"cve": "CVE-2022-2285",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "description",
"text": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2285"
},
{
"cve": "CVE-2022-2284",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2284"
},
{
"cve": "CVE-2022-2286",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2286"
},
{
"cve": "CVE-2022-2289",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "Use After Free in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2289"
},
{
"cve": "CVE-2022-2288",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2288"
},
{
"cve": "CVE-2022-2264",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2264"
},
{
"cve": "CVE-2022-2206",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2206"
},
{
"cve": "CVE-2022-2257",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update to the latest 2023.0.0 LTS Firmware Release.\nPHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-2257"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…