CVE-2022-27780

percent-encoded pathseparator in URL host

Project curl Security Advisory, May 11 2022 -Permalink

VULNERABILITY

The curl URL parser wrongly accepts percent-encoded URL separatorslike '/' when decoding the hostname part of a URL, making it adifferent URL using the wrong hostname when it is laterretrieved.

For example, a URL likehttp://example.com%2F10.0.0.1/,would be allowed by the parser and get transposed intohttp://example.com/10.0.0.1/. This flaw can be used tocircumvent filters, checks and more.

INFO

This flaw was introduced incommit9a8564a920188e, shipped in curl7.80.0 when curl added support forpercent-encoded hostnames in URLs.

The Common Vulnerabilities and Exposures (CVE) project has assignedthe name CVE-2022-27780 to this issue.

CWE-177: Improper Handling of URL Encoding

Severity: Medium

AFFECTED VERSIONS

• Affected versions: curl7.80.0 to and including7.83.0
• Not affected versions: curl <7.83.0 and curl >=7.83.1
• Introduced-in:https://github.com/curl/curl/commit/9a8564a920188e

libcurl is used by many applications, but not always advertised assuch!

SOLUTION

The URL parser now rejects hostnames that percent-decode into URLseparator characters.

• Fixed-in:https://github.com/curl/curl/commit/914aaab9153764e

RECOMMENDATIONS

A - Upgrade curl to version7.83.1

B - Apply the patch to your local version

TIMELINE

This issue was reported to the curl project on April 28, 2022. Wecontacted distros@openwall on May 5.

libcurl7.83.1 was released on May 11 2022, coordinated with thepublication of this advisory.

CREDITS

• Reported-by: Axel Chong
• Patched-by: Daniel Stenberg

Thanks a lot!