Your submission was sent successfully! Close

CVE-2022-32207

Published: 27 June 2022

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

Notes

AuthorNote
mdeslaur
introduced in 7.69.0
Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
impish
Released (7.74.0-1.3ubuntu2.3)
jammy
Released (7.81.0-1ubuntu1.3)
trusty Not vulnerable
(code not present)
upstream
Released (7.84.0)
xenial Not vulnerable
(code not present)