CVE-2022-42915 (High) detected in curl-sys-0.4.55+curl-7.83.1.crate #378
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2022-42915 - High Severity Vulnerability
Native bindings to the libcurl library
Library home page: https://crates.io/api/v1/crates/curl-sys/0.4.55+curl-7.83.1/download
Dependency Hierarchy:
Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911
Found in base branch: master
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
Publish Date: 2022-10-29
URL: CVE-2022-42915
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://curl.se/docs/CVE-2022-42915.html
Release Date: 2022-10-29
Fix Resolution: curl-7_86_0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: