Bug 2135416 (CVE-2022-42916) - CVE-2022-42916 curl: HSTS bypass via IDN
Summary: CVE-2022-42916 curl: HSTS bypass via IDN
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-42916
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2137770 2135693 2135694 2137769
Blocks: 2135407
TreeView+ depends on / blocked
 
Reported: 2022-10-17 15:16 UTC by Marian Rehak
Modified: 2022-12-10 20:13 UTC (History)
15 users (show)

Fixed In Version: curl 7.86.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`.
Clone Of:
Environment:
Last Closed: 2022-12-10 20:13:16 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8840 0 None None None 2022-12-08 13:07:26 UTC
Red Hat Product Errata RHSA-2022:8841 0 None None None 2022-12-08 13:22:35 UTC

Description Marian Rehak 2022-10-17 15:16:53 UTC
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`.

Reference:

https://curl.se/docs/CVE-2022-42916.html

Comment 4 Sandipan Roy 2022-10-26 07:22:22 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2137769]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2137770]

Comment 6 errata-xmlrpc 2022-12-08 13:07:25 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:8840 https://access.redhat.com/errata/RHSA-2022:8840

Comment 7 errata-xmlrpc 2022-12-08 13:22:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841

Comment 8 Product Security DevOps Team 2022-12-10 20:13:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-42916


Note You need to log in before you can comment on or make changes to this bug.