When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2023/Jan/19 | Mailing List Third Party Advisory |
http://seclists.org/fulldisclosure/2023/Jan/20 | Mailing List Third Party Advisory |
http://www.openwall.com/lists/oss-security/2023/05/17/4 | Mailing List |
https://hackerone.com/reports/1704017 | Exploit Issue Tracking Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202212-01 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230110-0006/ | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230208-0002/ | Third Party Advisory |
https://support.apple.com/kb/HT213604 | Third Party Advisory |
https://support.apple.com/kb/HT213605 | Third Party Advisory |
https://www.debian.org/security/2023/dsa-5330 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
Configuration 9 (hide)
|
History
27 Mar 2024, 15:00
Type | Values Removed | Values Added |
---|---|---|
References | () http://seclists.org/fulldisclosure/2023/Jan/19 - Mailing List, Third Party Advisory | |
References | () http://seclists.org/fulldisclosure/2023/Jan/20 - Mailing List, Third Party Advisory | |
References | () http://www.openwall.com/lists/oss-security/2023/05/17/4 - Mailing List | |
First Time |
Splunk
Splunk universal Forwarder |
|
CPE | cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* |
17 May 2023, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Mar 2023, 14:51
Type | Values Removed | Values Added |
---|---|---|
References | (DEBIAN) https://www.debian.org/security/2023/dsa-5330 - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20230208-0002/ - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jan/19 - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jan/20 - Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20230110-0006/ - Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT213605 - Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT213604 - Third Party Advisory | |
First Time |
Netapp h700s
Netapp h500s Debian Apple macos Netapp h410s Netapp clustered Data Ontap Netapp h300s Netapp h410s Firmware Netapp h700s Firmware Netapp Netapp h300s Firmware Debian debian Linux Netapp h500s Firmware Apple |
|
CPE | cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
08 Feb 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Jan 2023, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Jan 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
26 Jan 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Jan 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Jan 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
05 Jan 2023, 17:29
Type | Values Removed | Values Added |
---|---|---|
References | (GENTOO) https://security.gentoo.org/glsa/202212-01 - Third Party Advisory |
19 Dec 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Dec 2022, 15:29
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://hackerone.com/reports/1704017 - Exploit, Issue Tracking, Third Party Advisory | |
CPE | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | |
First Time |
Haxx curl
Haxx |
|
CWE | CWE-668 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
05 Dec 2022, 23:40
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-05 22:15
Updated : 2024-03-27 15:00
NVD link : CVE-2022-32221
Mitre link : CVE-2022-32221
CVE.ORG link : CVE-2022-32221
JSON object : View
Products Affected
netapp
- h500s
- h700s_firmware
- h410s
- h500s_firmware
- h300s
- h700s
- h300s_firmware
- h410s_firmware
- clustered_data_ontap
apple
- macos
splunk
- universal_forwarder
debian
- debian_linux
haxx
- curl