Bug 2120718 (CVE-2022-35252)
Summary: | CVE-2022-35252 curl: Incorrect handling of control code characters in cookies | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | csutherl, erik-fedora, jclere, jwon, kdudka, kyoshida, lzaoral, mike, msekleta, mturk, paul, peholase, pjindal, plodge, security-response-team, svashisht, szappis |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.85.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This issue effectively allows a "sister site" to deny service to siblings and cause a denial of service attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-17 00:50:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2120722, 2120724, 2122881, 2122882 | ||
Bug Blocks: | 2120719 |
Description
Marian Rehak
2022-08-23 15:36:13 UTC
Created curl tracking bugs for this issue: Affects: fedora-all [bug 2122881] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 2122882] This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2022:8840 https://access.redhat.com/errata/RHSA-2022:8840 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2478 https://access.redhat.com/errata/RHSA-2023:2478 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2963 https://access.redhat.com/errata/RHSA-2023:2963 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-35252 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0428 https://access.redhat.com/errata/RHSA-2024:0428 |