CVE-2022-27780

Published: 11 May 2022

The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a *different* URL using the wrong host name when it is later retrieved.

Priority

Status

Package	Release	Status
curl Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	impish	Not vulnerable (code not present)
	jammy	Released (7.81.0-1ubuntu1.2)
	trusty	Not vulnerable (code not present)
	upstream	Released (7.83.1)
	xenial	Not vulnerable (code not present)

Notes

Author	Note
mdeslaur	introduced in 7.80

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27780
https://curl.se/docs/CVE-2022-27780.html
https://ubuntu.com/security/notices/USN-5412-1
NVD
Launchpad
Debian

Bugs

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›