CyRC vulnerability of the month: curl

The curl vulnerability shows how we produced timely information by combing through source code commits in open source projects.

DevOps Connect: DevSecOps @ RSAC 2022

Vulnerabilities in curl

The free and open source command line tool curl is used to transfer data specified with a URL. It supports a variety of protocols and performs certificate verification when required by a secure protocol (eg HTTPS). It is used in a wide range of technologies, including cars, televisions, routers, printers, audio equipment, cell phones and tablets, and is the internet transfer engine for thousands of software applications .

Keeping an eye on open source

The curl source code is hosted on GitHub and includes past and latest stable releases. Additionally, the repository contains the commits where code is updated, features are added or removed, and security issues are mitigated.

The Black Duck® Security Research team is monitoring commit messages for any mention of a CVE ID, which indicates a security issue in curl that has been fixed.

Bingo

On May 10, 2022, six commits were identified with six distinct CVE IDs. Our research team quickly reviewed the commit messages and analyzed the source code changes.

Based on our analysis, our team created six Black Duck Security Advisories (BDSAs) corresponding to the CVEs. These BDSAs include the impacts of the vulnerability, advice on which versions of curl are vulnerable, and where to find a patched version.

As with all BDSAs, we have assigned severity ratings generated using CVSS, based on our consistent and reliable rating methodology. The BDSAs were released on May 10, 2022, a full day before official advisories from the curl team, and 23 days before the publication of corresponding records in the National Vulnerability Database (NVD).

This is just one example of how research performed by Black Duck’s security research team provides valuable information to our customers as quickly as possible.

# Title Gravity CVSS
BDSA-2022-1290
CVE-2022-27781
This BDSA describes a denial of service (DoS) caused by a certificate loop. A detailed description of the location of the vulnerability, along with the mitigations implemented by the vendor, is available in the BDSA. CVSS3: 3.8
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
CVSS2: 3.2
AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
BDSA-2022-1291
CVE-2022-30115
This BDSA describes an information disclosure vulnerability that an attacker could exploit to gain access to plaintext data that should have been encrypted. A detailed description of why the vulnerability exists and where it is located is available in the BDSA. CVSS3: 6.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
CVSS2: 3.7
AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C
BDSA-2022-1292
CVE-2022-27778
This BDSA describes a vulnerability that allows an attacker to delete files due to the use of an incorrect function call. A detailed description of the affected function calls and why they are vulnerable is available in the BDSA. CVSS3: 6.7
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
CVSS2: 3.9
AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
BDSA-2022-1293
CVE-2022-27779
This BDSA describes an information disclosure vulnerability that could allow an attacker to access arbitrary cookie data. A detailed description of the versions of curl that are vulnerable to it, as well as the cause of this information disclosure, is available in the BDSA. CVSS3: 5.7
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
CVSS2: 3.2
AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C
BDSA-2022-1295
CVE-2022-27782
This BDSA describes a flaw caused by the mismatch of Secure Shell Protocol (SSH) and Transport Layer Security (TLS) options. This is the only BDSA in which the researcher could not identify any specific impact based on source code analysis. However, guidance on fixing this vulnerability is still available in the BDSA. CVSS3: 4.6
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
CVSS2: 3.7
AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C
BDSA-2022-1297
CVE-2022-27780
This BDSA describes a security filter bypass vulnerability that occurs when decoding the hostname portion of a URL. A detailed description of the location of the vulnerability, along with the mitigations implemented by the vendor, is available in the BDSA. CVSS3: 4.6
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
CVSS2: 3.7
AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C
Subscribe to the blog to stay up to date on the latest CyRC news

register today

Comments are closed.