usn-5702-1
Vulnerability from osv_ubuntu
Robby Simpson discovered that curl incorrectly handled certain POST operations after PUT operations. This issue could cause applications using curl to send the wrong data, perform incorrect memory operations, or crash. (CVE-2022-32221)
Hiroki Kurosawa discovered that curl incorrectly handled parsing .netrc files. If an attacker were able to provide a specially crafted .netrc file, this issue could cause curl to crash, resulting in a denial of service. This issue only affected Ubuntu 22.10. (CVE-2022-35260)
It was discovered that curl incorrectly handled certain HTTP proxy return codes. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-42915)
Hiroki Kurosawa discovered that curl incorrectly handled HSTS support when certain hostnames included IDN characters. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-42916)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-32221",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "curl",
"binary_version": "7.58.0-2ubuntu3.21"
},
{
"binary_name": "libcurl3-gnutls",
"binary_version": "7.58.0-2ubuntu3.21"
},
{
"binary_name": "libcurl3-nss",
"binary_version": "7.58.0-2ubuntu3.21"
},
{
"binary_name": "libcurl4",
"binary_version": "7.58.0-2ubuntu3.21"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "curl",
"purl": "pkg:deb/ubuntu/curl@7.58.0-2ubuntu3.21?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.58.0-2ubuntu3.21"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.55.1-1ubuntu2",
"7.55.1-1ubuntu2.1",
"7.57.0-1ubuntu1",
"7.58.0-2ubuntu1",
"7.58.0-2ubuntu2",
"7.58.0-2ubuntu3",
"7.58.0-2ubuntu3.1",
"7.58.0-2ubuntu3.2",
"7.58.0-2ubuntu3.3",
"7.58.0-2ubuntu3.5",
"7.58.0-2ubuntu3.6",
"7.58.0-2ubuntu3.7",
"7.58.0-2ubuntu3.8",
"7.58.0-2ubuntu3.9",
"7.58.0-2ubuntu3.10",
"7.58.0-2ubuntu3.12",
"7.58.0-2ubuntu3.13",
"7.58.0-2ubuntu3.14",
"7.58.0-2ubuntu3.15",
"7.58.0-2ubuntu3.16",
"7.58.0-2ubuntu3.17",
"7.58.0-2ubuntu3.18",
"7.58.0-2ubuntu3.19",
"7.58.0-2ubuntu3.20"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-32221",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "curl",
"binary_version": "7.68.0-1ubuntu2.14"
},
{
"binary_name": "libcurl3-gnutls",
"binary_version": "7.68.0-1ubuntu2.14"
},
{
"binary_name": "libcurl3-nss",
"binary_version": "7.68.0-1ubuntu2.14"
},
{
"binary_name": "libcurl4",
"binary_version": "7.68.0-1ubuntu2.14"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "curl",
"purl": "pkg:deb/ubuntu/curl@7.68.0-1ubuntu2.14?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.68.0-1ubuntu2.14"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.65.3-1ubuntu3",
"7.65.3-1ubuntu4",
"7.66.0-1ubuntu1",
"7.67.0-2ubuntu1",
"7.68.0-1ubuntu1",
"7.68.0-1ubuntu2",
"7.68.0-1ubuntu2.1",
"7.68.0-1ubuntu2.2",
"7.68.0-1ubuntu2.4",
"7.68.0-1ubuntu2.5",
"7.68.0-1ubuntu2.6",
"7.68.0-1ubuntu2.7",
"7.68.0-1ubuntu2.10",
"7.68.0-1ubuntu2.11",
"7.68.0-1ubuntu2.12",
"7.68.0-1ubuntu2.13"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-32221",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-42915",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-42916",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "curl",
"binary_version": "7.81.0-1ubuntu1.6"
},
{
"binary_name": "libcurl3-gnutls",
"binary_version": "7.81.0-1ubuntu1.6"
},
{
"binary_name": "libcurl3-nss",
"binary_version": "7.81.0-1ubuntu1.6"
},
{
"binary_name": "libcurl4",
"binary_version": "7.81.0-1ubuntu1.6"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "curl",
"purl": "pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.6?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.81.0-1ubuntu1.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.74.0-1.3ubuntu2",
"7.74.0-1.3ubuntu3",
"7.80.0-3",
"7.81.0-1",
"7.81.0-1ubuntu1.1",
"7.81.0-1ubuntu1.2",
"7.81.0-1ubuntu1.3",
"7.81.0-1ubuntu1.4"
]
}
],
"aliases": [],
"details": "Robby Simpson discovered that curl incorrectly handled certain POST\noperations after PUT operations. This issue could cause applications using\ncurl to send the wrong data, perform incorrect memory operations, or crash.\n(CVE-2022-32221)\n\nHiroki Kurosawa discovered that curl incorrectly handled parsing .netrc\nfiles. If an attacker were able to provide a specially crafted .netrc file,\nthis issue could cause curl to crash, resulting in a denial of service.\nThis issue only affected Ubuntu 22.10. (CVE-2022-35260)\n\nIt was discovered that curl incorrectly handled certain HTTP proxy return\ncodes. A remote attacker could use this issue to cause curl to crash,\nresulting in a denial of service, or possibly execute arbitrary code. This\nissue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-42915)\n\nHiroki Kurosawa discovered that curl incorrectly handled HSTS support\nwhen certain hostnames included IDN characters. A remote attacker could\npossibly use this issue to cause curl to use unencrypted connections. This\nissue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-42916)\n",
"id": "USN-5702-1",
"modified": "2026-04-22T07:37:03Z",
"published": "2022-10-26T17:28:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5702-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-32221"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-35260"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-42915"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-42916"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "curl vulnerabilities",
"upstream": [
"UBUNTU-CVE-2022-32221",
"UBUNTU-CVE-2022-35260",
"UBUNTU-CVE-2022-42915",
"UBUNTU-CVE-2022-42916"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.