2082223 – (CVE-2022-30115) CVE-2022-30115 curl: HSTS bypass via trailing dot

Bug 2082223 (CVE-2022-30115) - CVE-2022-30115 curl: HSTS bypass via trailing dot

Summary: CVE-2022-30115 curl: HSTS bypass via trailing dot

Keywords:
Status:	NEW
Alias:	CVE-2022-30115
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2082195
TreeView+	depends on / blocked

Reported:	2022-05-05 15:21 UTC by Marian Rehak
Modified:	2022-05-11 14:53 UTC (History)
CC List:	25 users (show)
Fixed In Version:	curl 7.83.1
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in curl. This issue occurs because when using its HTTP Strict Transport Security(HSTS) support, it can instruct curl to use HTTPS directly instead of using an insecure clear text HTTP step even when HTTP is provided in the URL. This flaw leads to a clear text transmission of sensitive information.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Marian Rehak 2022-05-05 15:21:44 UTC

Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL used a trailing dot while not using one when it built the HSTS cache. Or the other way around - by having the trailing dot in the HSTS cache and *not* using the trailing dot in the URL.

Note You need to log in before you can comment on or make changes to this bug.

andrew.slice
bodavis
csutherl
dbhole
erik-fedora
gzaronik
hhorak
jclere
jorton
jwon
kanderso
kdudka
krathod
luhliari
lvaleeva
mike
msekleta
mturk
omajid
paul
pjindal
rwagner
security-response-team
svashisht
szappis