6.5
CVE-2022-32206
- EPSS 31.97%
- Veröffentlicht 07.07.2022 13:15:08
- Zuletzt bearbeitet 05.05.2025 17:18:13
- Quelle support@hackerone.com
- CVE-Watchlists
- Unerledigt
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fedoraproject ≫ Fedora Version35
Debian ≫ Debian Linux Version10.0
Debian ≫ Debian Linux Version11.0
Netapp ≫ Clustered Data Ontap Version-
Netapp ≫ Element Software Version-
Netapp ≫ Hci Management Node Version-
Netapp ≫ Bootstrap Os Version-
Netapp ≫ H300s Firmware Version-
Netapp ≫ H500s Firmware Version-
Netapp ≫ H700s Firmware Version-
Netapp ≫ H410s Firmware Version-
Siemens ≫ Scalance Sc622-2c Firmware Version < 3.0
Siemens ≫ Scalance Sc626-2c Firmware Version < 3.0
Siemens ≫ Scalance Sc632-2c Firmware Version < 3.0
Siemens ≫ Scalance Sc636-2c Firmware Version < 3.0
Siemens ≫ Scalance Sc642-2c Firmware Version < 3.0
Siemens ≫ Scalance Sc646-2c Firmware Version < 3.0
Splunk ≫ Universal Forwarder Version >= 8.2.0 < 8.2.12
Splunk ≫ Universal Forwarder Version >= 9.0.0 < 9.0.6
Splunk ≫ Universal Forwarder Version9.1.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 31.97% | 0.981 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:N/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://www.debian.org/security/2022/dsa-5197
https://security.gentoo.org/glsa/202212-01
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/41
https://support.apple.com/kb/HT213488
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
https://security.netapp.com/advisory/ntap-20220915-0003/
http://www.openwall.com/lists/oss-security/2023/02/15/3
https://hackerone.com/reports/1570651