CVE-2022-27776

NameCVE-2022-27776
DescriptionA insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3085-1, DSA-5197-1
Debian Bugs1010252

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u12fixed
bullseye (security)7.74.0-1.3+deb11u11fixed
bookworm7.88.1-10+deb12u6fixed
bookworm (security)7.88.1-10+deb12u5fixed
trixie8.8.0-4fixed
sid8.9.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebuster7.64.0-4+deb10u3DLA-3085-1
curlsourcebullseye7.74.0-1.3+deb11u2DSA-5197-1
curlsource(unstable)7.83.0-11010252

Notes

https://curl.se/docs/CVE-2022-27776.html
Fixed by: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258 (curl-7_83_0)
Search for package or bug name: Reporting problems