Bug 1199222 - (CVE-2022-27780) VUL-0: CVE-2022-27780: curl: percent-encoded path separator in URL host (3/6)
(CVE-2022-27780)
VUL-0: CVE-2022-27780: curl: percent-encoded path separator in URL host (3/6)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/330787/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-05 07:01 UTC by Robert Frohl
Modified: 2022-09-16 12:52 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Gianluca Gabrielli 2022-05-11 07:02:05 UTC
Public.


percent-encoded path separator in URL host
==========================================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27780.html)

VULNERABILITY
-------------

The curl URL parser wrongly accepts percent-encoded URL separators like '/'
when decoding the host name part of a URL, making it a *different* URL using
the wrong host name when it is later retrieved.

For example, a URL like `http://example.com%2F10.0.0.1/`, would be allowed by
the parser and get transposed into `http://example.com/10.0.0.1/`. This flaw
can be used to circumvent filters, checks and more.

We are not aware of any exploit of this flaw.

INFO
----

This flaw was introduced in [commit
9a8564a920188e](https://github.com/curl/curl/commit/9a8564a920188e), shipped
in curl 7.80.0 when curl added support for percent-encoded host names in URLs.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-27780 to this issue.

CWE-177: Improper Handling of URL Encoding

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.80.0 to and including 7.83.0
- Not affected versions: curl < 7.83.0 and curl >= 7.83.1

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

The URL parser now rejects host names that percent-decode into URL separator
characters.

A [fix for CVE-2022-27780](https://github.com/curl/curl/commit/914aaab9153764e)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.83.1

 B - Apply the patch to your local version

TIMELINE
--------

This issue was reported to the curl project on April 28, 2022. We contacted
distros@openwall on May 5.

libcurl 7.83.1 was released on May 11 2022, coordinated with the publication
of this advisory.

CREDITS
-------

This issue was reported by Axel Chong. Patched by Daniel Stenberg.

Thanks a lot!

-- 

 / daniel.haxx.se
 | Commercial curl support up to 24x7 is available!
 | Private help, bug fixes, support, ports, new features
 | https://curl.se/support.html
Comment 6 David Anes 2022-05-13 07:03:48 UTC
Everything was done. Sent it back to security team.
Comment 7 Carlos López 2022-09-16 12:52:43 UTC
Done, closing.