CVE-2022-32207
Public on 2022-07-07
Modified on 2024-02-01
Description
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | curl | No Fix Planned | ||
| Amazon Linux 2 - Core | curl | 2022-11-08 | ALAS2-2022-1875 | Fixed |
| Amazon Linux 2023 | curl | 2023-03-22 | ALAS2023-2023-083 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |