Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-32221

Published: 26 October 2022

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

Notes

AuthorNote
alexmurray
affects libcurl 7.7 to and including 7.85.0
Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
bionic
Released (7.58.0-2ubuntu3.21)
focal
Released (7.68.0-1ubuntu2.14)
jammy
Released (7.81.0-1ubuntu1.6)
kinetic
Released (7.85.0-1ubuntu0.1)
trusty
Released (7.35.0-1ubuntu2.20+esm13)
upstream Needs triage

xenial
Released (7.47.0-1ubuntu2.19+esm6)
Patches:
upstream: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9