CVE-2022-43551

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.87.0 MySQL Server versions 5.7.41 and earlier, 8.0.32 and earlier

Description A vulnerability exists in the HSTS check of curl that could be bypassed to trick it into keeping using HTTP. The HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. This could allow a remote attacker to gain unauthorized access to protected information. The issue is related to the storage of IDN encoded information but looking for it IDN decoded, leading to a clear text transfer in subsequent requests.

Recommendations For curl versions prior to 7.87.0, update to version 7.87.0 or later to resolve the issue. For MySQL Server versions 5.7.41 and earlier, 8.0.32 and earlier, update to a version that includes the fix for this vulnerability. As a temporary workaround, consider disabling the HSTS support in curl until a patch is available. Restrict access to the vulnerable curl functionality to minimize the risk of exploitation.