CVE-2022-42916 (High) detected in curl-sys-0.4.55+curl-7.83.1.crate #379
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2022-42916 - High Severity Vulnerability
Native bindings to the libcurl library
Library home page: https://crates.io/api/v1/crates/curl-sys/0.4.55+curl-7.83.1/download
Dependency Hierarchy:
Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911
Found in base branch: master
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
Publish Date: 2022-10-29
URL: CVE-2022-42916
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://curl.se/docs/CVE-2022-42916.html
Release Date: 2022-10-29
Fix Resolution: curl-7_86_0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: