CVE-2022-27782
Publication date 11 May 2022
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
Status
Package | Ubuntu Release | Status |
---|---|---|
curl | 22.04 LTS jammy |
Fixed 7.81.0-1ubuntu1.2
|
20.04 LTS focal |
Fixed 7.68.0-1ubuntu2.11
|
|
18.04 LTS bionic |
Fixed 7.58.0-2ubuntu3.18
|
|
16.04 LTS xenial | Ignored regressions likely | |
14.04 LTS trusty | Ignored end of ESM support, was ignored [regressions likely] |
Notes
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5412-1
- curl vulnerabilities
- 11 May 2022