When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2023/Jan/19 | Mailing List Third Party Advisory |
http://seclists.org/fulldisclosure/2023/Jan/20 | Mailing List Third Party Advisory |
http://www.openwall.com/lists/oss-security/2023/05/17/4 | Mailing List |
https://hackerone.com/reports/1704017 | Exploit Issue Tracking Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202212-01 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230110-0006/ | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230208-0002/ | Third Party Advisory |
https://support.apple.com/kb/HT213604 | Third Party Advisory |
https://support.apple.com/kb/HT213605 | Third Party Advisory |
https://www.debian.org/security/2023/dsa-5330 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
Configuration 9 (hide)
|
History
27 Mar 2024, 15:00
Type | Values Removed | Values Added |
---|---|---|
First Time |
Splunk universal Forwarder
Splunk |
|
References | () http://seclists.org/fulldisclosure/2023/Jan/19 - Mailing List, Third Party Advisory | |
References | () http://seclists.org/fulldisclosure/2023/Jan/20 - Mailing List, Third Party Advisory | |
References | () http://www.openwall.com/lists/oss-security/2023/05/17/4 - Mailing List | |
CPE | cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* |
17 May 2023, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Mar 2023, 14:51
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | (GENTOO) https://security.gentoo.org/glsa/202212-01 - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:* cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* |
19 Dec 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-05 22:15
Updated : 2024-03-27 15:00
NVD link : CVE-2022-32221
Mitre link : CVE-2022-32221
CVE.ORG link : CVE-2022-32221
JSON object : View
Products Affected
netapp
- h300s_firmware
- clustered_data_ontap
- h700s_firmware
- h410s
- h300s
- h500s_firmware
- h500s
- h700s
- h410s_firmware
debian
- debian_linux
haxx
- curl
splunk
- universal_forwarder
apple
- macos