CURL-CVE-2022-27775

See a problem?
Source
https://curl.se/docs/CVE-2022-27775.html
Import Source
https://curl.se/docs/CURL-CVE-2022-27775.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2022-27775
Aliases
Published
2022-04-27T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
Bad local IPv6 connection reuse
Details

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup.

Due to errors in the logic, the config matching function did not take the IPv6 address zone id into account which could lead to libcurl reusing the wrong connection when one transfer uses a zone id and a subsequent transfer uses another (or no) zone id.

References
Credits
    • Harry Sintonen - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.65.0
Fixed
7.83.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
2d0e9b40d3237b1450cbbfbcb996da244d964898
Fixed
058f98dc3fe595f21dc26a5b9b1699e519ba5705

Affected versions

7.*

7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0