CVE-2022-32221
CVE-2022-32221
Vexday Risk Score
28Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.8EPSS 4.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
05 dic 2022Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
n/a · https://github.com/curl/curl¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
http://seclists.org/fulldisclosure/2023/Jan/19http://seclists.org/fulldisclosure/2023/Jan/20https://hackerone.com/reports/1704017https://lists.debian.org/debian-lts-announce/2023/01/msg00028.htmlhttps://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20230110-0006/https://security.netapp.com/advisory/ntap-20230208-0002/https://support.apple.com/kb/HT213604https://support.apple.com/kb/HT213605https://www.debian.org/security/2023/dsa-5330http://www.openwall.com/lists/oss-security/2023/05/17/4