Your submission was sent successfully! Close

CVE-2022-27781

Published: 11 May 2022

libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.]

Notes

AuthorNote
amurray
Affects curl versions 7.34.0 up to and include 7.83.0

Mitigation

Do not use the `CURLOPT_CERTINFO` option
Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
bionic
Released (7.58.0-2ubuntu3.18)
focal
Released (7.68.0-1ubuntu2.11)
impish
Released (7.74.0-1.3ubuntu2.2)
jammy
Released (7.81.0-1ubuntu1.2)
trusty
Released (7.35.0-1ubuntu2.20+esm11)
upstream
Released (7.83.1)
xenial
Released (7.47.0-1ubuntu2.19+esm4)