CVE-2022-43551

NameCVE-2022-43551
DescriptionA vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1026829

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)buster7.64.0-4+deb10u2fixed
buster (security)7.64.0-4+deb10u4fixed
bullseye7.74.0-1.3+deb11u3vulnerable
bullseye (security)7.74.0-1.3+deb11u5vulnerable
bookworm, sid7.87.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebuster(not affected)
curlsource(unstable)7.86.0-31026829

Notes

[bullseye] - curl <ignored> (curl is not built with HSTS support)
[buster] - curl <not-affected> (Vulnerable code not present)
https://curl.se/docs/CVE-2022-43551.html
Introduced by: https://github.com/curl/curl/commit/7385610d0c74c6a254fea5e4cd6e1d559d848c8c (curl-7_74_0)
Enabled by default since: https://github.com/curl/curl/commit/d71ff2b9db566b3f4b2eb29441c2df86715d4339 (curl-7_77_0)
Fixed by: https://github.com/curl/curl/commit/9e71901634e276dd050481c4320f046bebb1bc28 (curl-7_87_0)

Search for package or bug name: Reporting problems