haxx curl CVE-2022-27779 vulnerability in Haxx and Other Products
Published on June 2, 2022

product logo product logo product logo
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.

Vendor Advisory NVD

Weakness Type

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).


Products Associated with CVE-2022-27779

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-27779 are published in these products:

Haxx Curl
 
NetApp Clustered Data Ontap
 
NetApp Solidfire Hci Management Node
 
NetApp Hci Compute Node
 
NetApp Solidfire Enterprise Sds Hci Storage Node
 
Splunk Universal Forwarder
 

Exploit Probability

EPSS
0.27%
Percentile
50.36%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.