Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-27780

Published: 11 May 2022

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.

Notes

AuthorNote
mdeslaur
introduced in 7.80

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
impish Not vulnerable
(code not present)
jammy
Released (7.81.0-1ubuntu1.2)
trusty Not vulnerable
(code not present)
upstream
Released (7.83.1)
xenial Not vulnerable
(code not present)