CVE-2022-30115 - log back

CVE-2022-30115 edited at 13 May 2022 19:24:21
Remote
- Unknown
+ Local
Type
- Unknown
+ Information disclosure
Description
- curl's HSTS check could be bypassed to trick it to keep using HTTP by using a trailing dot in the hostname of the given URL while the HSTS cache was buillt without it or the other way around.
+ A vulnerability was found in curl. This issue occurs because when using its HTTP Strict Transport Security(HSTS) support, it can instruct curl to use HTTPS directly instead of using an insecure clear text HTTP step even when HTTP is provided in the URL. This flaw leads to a clear text transmission of sensitive information.
CVE-2022-30115 edited at 11 May 2022 10:28:05
Notes
+ Affected versions: curl 7.82.0 to and including 7.83.0
+ Not affected versions: curl < 7.82.0 and curl >= 7.83.1
CVE-2022-30115 created at 11 May 2022 10:19:01
Severity
+ Medium
Remote
+ Unknown
Type
+ Unknown
Description
+ curl's HSTS check could be bypassed to trick it to keep using HTTP by using a trailing dot in the hostname of the given URL while the HSTS cache was buillt without it or the other way around.
References
+ https://seclists.org/oss-sec/2022/q2/97
+ https://curl.se/docs/CVE-2022-30115.html
+ https://github.com/curl/curl/commit/fae6fea209a2d4d
+ https://github.com/curl/curl/commit/b27ad8e1d3e68e
Notes