Bug 2082203 (CVE-2022-27780)

Summary: CVE-2022-27780 curl: percent-encoded path separator in URL host
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew.slice, bodavis, csutherl, dbhole, erik-fedora, gzaronik, hhorak, jclere, jorton, jwon, kanderso, kdudka, luhliari, lvaleeva, mike, msekleta, mturk, omajid, paul, pjindal, rwagner, security-response-team, svashisht, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: curl 7.83.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in curl. This issue occurs because the curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the hostname part of a URL, making it a different URL using the wrong hostname when it is later retrieved. This flaw allows a malicious actor to make circumventing filters.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-13 06:00:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 2082195    

Description Marian Rehak 2022-05-05 15:07:26 UTC
The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a *different* URL using the wrong host name when it is later retrieved. For example, a URL like `http://example.com%2F10.0.0.1/`, would be allowed by the parser and get transposed into `http://example.com/`. This flaw can be used to circumvent filters, checks and more.

Comment 3 Product Security DevOps Team 2023-01-13 06:00:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):