curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2023/Jan/19 | Mailing List Third Party Advisory |
http://seclists.org/fulldisclosure/2023/Jan/20 | Mailing List Third Party Advisory |
https://curl.se/docs/CVE-2022-42915.html | Vendor Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202212-01 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20221209-0010/ | Third Party Advisory |
https://support.apple.com/kb/HT213604 | Third Party Advisory |
https://support.apple.com/kb/HT213605 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
Configuration 9 (hide)
|
History
27 Mar 2024, 14:59
Type | Values Removed | Values Added |
---|---|---|
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* |
|
First Time |
Splunk
Splunk universal Forwarder |
07 Nov 2023, 03:53
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
15 Jun 2023, 19:44
Type | Values Removed | Values Added |
---|---|---|
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jan/19 - Mailing List, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jan/20 - Mailing List, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
01 Mar 2023, 18:06
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://support.apple.com/kb/HT213604 - Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT213605 - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jan/20 - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jan/19 - Third Party Advisory | |
First Time |
Apple macos
Apple |
|
CPE | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
26 Jan 2023, 21:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Jan 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jan 2023, 02:45
Type | Values Removed | Values Added |
---|---|---|
First Time |
Netapp h700s
Netapp h500s Netapp h700s Firmware Netapp Netapp h410s Netapp h300s Netapp h300s Firmware Netapp h500s Firmware Netapp ontap 9 Netapp h410s Firmware |
|
CPE | cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:ontap_9:-:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20221209-0010/ - Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ - Mailing List, Third Party Advisory | |
References | (GENTOO) https://security.gentoo.org/glsa/202212-01 - Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ - Mailing List, Third Party Advisory |
19 Dec 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Dec 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Nov 2022, 15:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Nov 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Oct 2022, 19:54
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (MISC) https://curl.se/docs/CVE-2022-42915.html - Vendor Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ - Mailing List, Third Party Advisory | |
First Time |
Fedoraproject
Haxx curl Fedoraproject fedora Haxx |
|
CWE | CWE-415 | |
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* |
30 Oct 2022, 23:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Oct 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-10-29 20:15
Updated : 2024-03-27 14:59
NVD link : CVE-2022-42915
Mitre link : CVE-2022-42915
CVE.ORG link : CVE-2022-42915
JSON object : View
Products Affected
netapp
- h700s_firmware
- h300s_firmware
- h500s
- ontap_9
- h300s
- h410s
- h410s_firmware
- h500s_firmware
- h700s
splunk
- universal_forwarder
apple
- macos
haxx
- curl
fedoraproject
- fedora
CWE
CWE-415
Double Free