The free and open source command line tool curl is used to transfer data specified with a URL. It supports a variety of protocols and performs certificate verification when required by a secure protocol (e.g., HTTPS). It is used in a wide range of technologies including cars, televisions, routers, printers, audio equipment, mobile phones, and tablets, and it is the internet transfer engine for thousands of software applications.
The source code for curl is hosted on GitHub, and it includes past and most recent stable releases. Furthermore, the repository contains the commits where the code is updated, functionality is added or removed, and security issues are mitigated.
The Black Duck® Security Research team monitors the commit messages for any mention of a CVE ID, which indicates a security issue in curl that has been resolved.
On May 10, 2022, six commits were identified with six separate CVE IDs. Our research team quickly reviewed the commit messages and analyzed the changes to the source code.
Based on our analysis, our team created six Black Duck Security Advisories (BDSAs) corresponding to the CVEs. These BDSAs include the impacts of the vulnerability, advice on which versions of curl are vulnerable, and where to find a fixed version.
As with all BDSAs, we assigned severity ratings generated using CVSS score, based on our consistent, dependable scoring methodology. The BDSAs were published on May 10, 2022, a full day before the official advisories from the curl team, and 23 days before the corresponding records were published in the National Vulnerability Database (NVD).
This is just one example of how the research done by the Black Duck Security Research team provides valuable information to our customers as quickly as possible.
# |
Title |
Severity CVSS |
BDSA-2022-1290 |
This BDSA describes a denial-of-service (DoS) caused by a certificate loop. A detailed description of where the vulnerability is found, along with mitigation measures the vendor has put in place, is available in the BDSA. |
CVSS3: 3.8 |
BDSA-2022-1291 |
This BDSA describes an information disclosure vulnerability that an attacker could exploit to gain access to cleartext data that should have been encrypted. A detailed description of why the vulnerability exits and where it is found is available in the BDSA. |
CVSS3: 6.5 |
BDSA-2022-1292 |
This BDSA describes a vulnerability that allows an attacker to delete files due to the use of an incorrect function call. A detailed description of the affected function calls and why they are vulnerable is available in the BDSA. |
CVSS3: 6.7 |
BDSA-2022-1293 |
This BDSA describes an information disclosure vulnerability that could enable an attacker to gain access to arbitrary cookie data. A detailed description of which builds of curl are vulnerable to this, as well as the cause of this information disclosure, is available in the BDSA. |
CVSS3: 5.7 |
BDSA-2022-1295 |
This BDSA describes a flaw caused by mismatching Secure Shell Protocol (SSH) and Transport Layer Security (TLS) options. This is the only BDSA in which the researcher was unable to identify any specific impacts based on source code analysis. However, advice about fixing this vulnerability is still available in the BDSA. |
CVSS3: 4.6 |
BDSA-2022-1297 |
This BDSA describes a security filter bypass vulnerability that occurs when decoding the hostname part of a URL. A detailed description of where the vulnerability is found, along with mitigation measures the vendor has put in place, is available in the BDSA. |
CVSS3: 4.6 |