CVE-2022-27774

MEDIUM
Published Jun 2, 20224y ago · Modified Jun 17, 20262w ago
5.7 CVSS 3.1
Medium
Find Similar
Published Jun 2, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

CVSS Details

Base Score
5.7
Exploitability
2.1
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-522

Affected Products 20

VendorProductVersionRange
haxxcurl*≥4.9  –  ≤7.82.0
debiandebian_linux10.0any
debiandebian_linux11.0any
netapphci_bootstrap_os*any
netapphci_compute_node*any
netappclustered_data_ontap*any
netappsolidfire_\&_hci_management_node*any
netappsolidfire_\&_hci_storage_node*any
brocadefabric_operating_system*any
netapph300s_firmware*any
netapph300s*any
netapph500s_firmware*any
netapph500s*any
netapph700s_firmware*any
netapph700s*any
netapph410s_firmware*any
netapph410s*any
splunkuniversal_forwarder*≥8.2.0  –  <8.2.12
splunkuniversal_forwarder*≥9.0.0  –  <9.0.6
splunkuniversal_forwarder9.1.0any

References 5

  • hackerone.com https://hackerone.com/reports/1543773
    ExploitThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html
    Mailing ListThird Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202212-01
    Third Party Advisory
  • security.netapp.com https://security.netapp.com/advisory/ntap-20220609-0008/
    Third Party Advisory
  • debian.org https://www.debian.org/security/2022/dsa-5197
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.