Homepage
About Snyk

Cleartext Transmission of Sensitive Information Affecting curl package, versions [7.77.0,7.86.0)

0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.2% (57th percentile)
Expand this section
NVD
7.5 high
Expand this section
SUSE
7.5 high
Expand this section
Red Hat
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UNMANAGED-CURL-3086043
  • published 27 Oct 2022
  • disclosed 26 Oct 2022
  • credit Hiroki Kurosawa
Report a new vulnerability Found a mistake?

Introduced: 26 Oct 2022

CVE-2022-42916 Open this link in a new tab
CWE-319 Open this link in a new tab

How to fix?

Upgrade curl to version 7.86.0 or higher.

Overview

curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP. libcurl offers a myriad of powerful features.

Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to bypassing curl's HSTS check if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion.