CVE-2022-27776

NameCVE-2022-27776
DescriptionA insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3085-1, DSA-5197-1
Debian Bugs1010252

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)buster7.64.0-4+deb10u2vulnerable
buster (security)7.64.0-4+deb10u8fixed
bullseye (security), bullseye7.74.0-1.3+deb11u11fixed
bookworm, bookworm (security)7.88.1-10+deb12u5fixed
trixie8.5.0-2fixed
sid8.6.0-3.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebuster7.64.0-4+deb10u3DLA-3085-1
curlsourcebullseye7.74.0-1.3+deb11u2DSA-5197-1
curlsource(unstable)7.83.0-11010252

Notes

https://curl.se/docs/CVE-2022-27776.html
Fixed by: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258 (curl-7_83_0)

Search for package or bug name: Reporting problems