PT-2022-2589 · Curl+8 · Curl+8

Harry Sintonen

Published

2022-04-21

Updated

2026-05-18

CVE-2022-27775

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions curl versions 7.65.0 through 7.82.0

Description The issue is related to the implementation of the configuration matching function in the curl utility, which does not properly handle IPv6 address zone IDs. This can lead to incorrect connections being made when one transfer uses a zone ID and a subsequent transfer uses a different (or no) zone ID. The vulnerability allows a remote attacker to potentially reuse a connection, leading to information disclosure.

Recommendations For curl versions 7.65.0 through 7.82.0, update to a version that fixes the issue with the configuration matching function to prevent incorrect connections and potential information disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-399CWE-200

Related Identifiers

ALSA-2022:8299

ALT-PU-2022-1827

ALT-PU-2022-1877

ALT-PU-2022-1902

BDU:2022-03038

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2022-27775

DSA-5197-1

MGASA-2022-0159

OESA-2022-1659

OPENSUSE-SU-2022_1657-1

OPENSUSE-SU-2024:12028-1

RHSA-2022:8299

RHSA-2022_8299

RLSA-2022:8299

SUSE-SU-2022:1657-1

SUSE-SU-2022_1657-1

USN-5397-1

Affected Products

Alt Linux

Almalinux

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Curl

PT-2022-2589 · Curl+8 · Curl+8

CVE-2022-27775

Weakness Enumeration

Related Identifiers

Affected Products

References · 318