---

CVE-2022-27780 - log back

CVE-2022-27780 edited at 11 May 2022 10:55:10
Severity	- Unknown + Medium
Description	+ The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a *different* URL using the wrong host name when it is later retrieved. For example, a URL like `http://example.com%2F10.0.0.1/`, would be allowed by the parser and get transposed into `http://example.com/10.0.0.1/`. This flaw can be used to circumvent filters, checks and more.
References	+ https://seclists.org/oss-sec/2022/q2/94 + https://curl.se/docs/CVE-2022-27780.html + https://github.com/curl/curl/commit/914aaab9153764e + https://github.com/curl/curl/commit/9a8564a920188e
Notes	+ Affected versions: curl 7.80.0 to and including 7.83.0 + Not affected versions: curl < 7.83.0 and curl >= 7.83.1

CVE-2022-27780 created at 11 May 2022 10:34:34
Severity	+ Unknown
Remote	+ Unknown
Type	+ Unknown
Description
References
Notes