Bug 2135416 (CVE-2022-42916) - CVE-2022-42916 curl: HSTS bypass via IDN
Summary: CVE-2022-42916 curl: HSTS bypass via IDN
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-42916
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2135693 Red Hat2135694 2137769 2137770
Blocks: Embargoed2135407
TreeView+ depends on / blocked
 
Reported: 2022-10-17 15:16 UTC by Marian Rehak
Modified: 2022-12-10 20:13 UTC (History)
15 users (show)

Fixed In Version: curl 7.86.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`.
Clone Of:
Environment:
Last Closed: 2022-12-10 20:13:16 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8840 0 None None None 2022-12-08 13:07:26 UTC
Red Hat Product Errata RHSA-2022:8841 0 None None None 2022-12-08 13:22:35 UTC

Description Marian Rehak 2022-10-17 15:16:53 UTC 
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`.

Reference:

https://curl.se/docs/CVE-2022-42916.html
Comment 4 Sandipan Roy 2022-10-26 07:22:22 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2137769]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2137770]
Comment 6 errata-xmlrpc 2022-12-08 13:07:25 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:8840 https://access.redhat.com/errata/RHSA-2022:8840
Comment 7 errata-xmlrpc 2022-12-08 13:22:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841
Comment 8 Product Security DevOps Team 2022-12-10 20:13:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-42916
Note You need to log in before you can comment on or make changes to this bug.