CVE-2022-27782

Public on 2022-05-17
Modified on 2024-02-01
Description
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
Severity
Medium severity
Medium
CVSS v3 Base Score
6.0
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 curl 2022-12-01 ALAS-2022-1646 Fixed
Amazon Linux 2 - Core curl 2022-07-06 ALAS2-2022-1808 Fixed
Amazon Linux 2023 curl 2023-02-17 ALAS2023-2023-083 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N