Cleartext Transmission of Sensitive Information Affecting curl package, versions [7.77.0,7.86.0)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UNMANAGED-CURL-3086043
- published 27 Oct 2022
- disclosed 26 Oct 2022
- credit Hiroki Kurosawa
Introduced: 26 Oct 2022
CVE-2022-42916 Open this link in a new tabHow to fix?
Upgrade curl
to version 7.86.0 or higher.
Overview
curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP. libcurl offers a myriad of powerful features.
Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to bypassing curl's HSTS check if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion.