PT-2022-5939 · Curl+8 · Curl+8

Nyymi

·

Published

2022-06-27

·

Updated

2026-05-18

·

CVE-2022-32207

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions curl versions prior to 7.84.0
Description The issue is related to how curl saves cookies, alt-svc, and hsts data to local files. When curl performs this operation, it uses a temporary file that is later renamed to the final target filename. However, during this rename operation, the permissions for the target file might be accidentally widened, making the updated file accessible to more users than intended. This could potentially allow a remote attacker to disclose protected information or cause a denial of service.
Recommendations For versions prior to 7.84.0, update to curl version 7.84.0 to resolve the issue. As a temporary workaround, consider restricting access to the files where cookies, alt-svc, and hsts data are saved to minimize the risk of exploitation.

Exploit

Fix

DoS

Improper Preservation of Permissions

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-840CWE-281CWE-276

Related Identifiers

ALSA-2022:6157
ALT-PU-2022-2421
ALT-PU-2022-2588
ALT-PU-2022-2874
AZL-10103
BDU:2022-07361
CLEANSTART-2026-AY18527
CLEANSTART-2026-BW46578
CLEANSTART-2026-DI23929
CLEANSTART-2026-LQ42192
CLEANSTART-2026-OF85770
CVE-2022-32207
DSA-5197-1
MGASA-2022-0250
OESA-2022-1744
OPENSUSE-SU-2022_2305-1
OPENSUSE-SU-2024:12214-1
RHSA-2022:6157
RHSA-2022:8840
RHSA-2022_6157
RLSA-2022:6157
SUSE-SU-2022:2305-1
USN-5495-1
USN-5495-2

Affected Products

Alt Linux
Almalinux
Linuxmint
Apple Macos
Red Hat
Rocky Linux
Suse
Ubuntu
Curl