CVE-2022-27781
Published: 11 May 2022
[libcurl provides the `CURLOPT_CERTINFO` option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.]
Mitigation
Do not use the `CURLOPT_CERTINFO` option
Priority
Notes
Author | Note |
---|---|
amurray | Affects curl versions 7.34.0 up to and include 7.83.0 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781
- https://curl.se/docs/CVE-2022-27781.html
- https://github.com/curl/curl/commit/f6c335d63f
- https://ubuntu.com/security/notices/USN-5412-1
- NVD
- Launchpad
- Debian