CVE-2022-27780 log
| Source |
|
| Severity | Medium |
| Remote | Unknown |
| Type | Unknown |
| Description | The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a *different* URL using the wrong host name when it is later retrieved. For example, a URL like `http://example.com%2F10.0.0.1/`, would be allowed by the parser and get transposed into `http://example.com/10.0.0.1/`. This flaw can be used to circumvent filters, checks and more. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2706 | curl | 7.83.0-1 | 7.83.1-1 | Medium | Fixed |
| References |
|---|
https://seclists.org/oss-sec/2022/q2/94 https://curl.se/docs/CVE-2022-27780.html https://github.com/curl/curl/commit/914aaab9153764e https://github.com/curl/curl/commit/9a8564a920188e |
| Notes |
|---|
Affected versions: curl 7.80.0 to and including 7.83.0 Not affected versions: curl < 7.83.0 and curl >= 7.83.1 |