VulnerableCode Package Details - pkg:alpm/archlinux/curl@7.83.1-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-66xg-3bn3-aaaj Aliases: CVE-2022-32208	When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.	7.84.0-1 Affected by 0 other vulnerabilities.
VCID-n5y3-zhu1-aaag Aliases: CVE-2022-32205	A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.	7.84.0-1 Affected by 0 other vulnerabilities.
VCID-nyr1-ne57-aaas Aliases: CVE-2022-32207	When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.	7.84.0-1 Affected by 0 other vulnerabilities.
VCID-vffj-n1n7-aaah Aliases: CVE-2022-32206	curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.	7.84.0-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-66xg-3bn3-aaaj
Aliases:
CVE-2022-32208

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

7.84.0-1
Affected by 0 other vulnerabilities.

VCID-n5y3-zhu1-aaag
Aliases:
CVE-2022-32205

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

7.84.0-1
Affected by 0 other vulnerabilities.

VCID-nyr1-ne57-aaas
Aliases:
CVE-2022-32207

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

7.84.0-1
Affected by 0 other vulnerabilities.

VCID-vffj-n1n7-aaah
Aliases:
CVE-2022-32206

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

7.84.0-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2p72-eh22-aaas	The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.	CVE-2022-27780
VCID-fp8g-mu68-aaaj	libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.	CVE-2022-27779
VCID-nd5m-5pst-aaac	libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.	CVE-2022-27782
VCID-sx32-s4fx-aaas	libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.	CVE-2022-27781
VCID-t7vm-psjb-aaaa	A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.	CVE-2022-27778
VCID-zqyb-ahvr-aaaj	Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and not using thetrailing dot in the URL.	CVE-2022-30115

Vulnerability

Summary

Aliases

VCID-2p72-eh22-aaas

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.

CVE-2022-27780

VCID-fp8g-mu68-aaaj

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.

CVE-2022-27779

VCID-nd5m-5pst-aaac

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

CVE-2022-27782

VCID-sx32-s4fx-aaas

libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

CVE-2022-27781

VCID-t7vm-psjb-aaaa

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.

CVE-2022-27778

VCID-zqyb-ahvr-aaaj

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.

CVE-2022-30115

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:46:21.547145+00:00	Arch Linux Importer	Affected by	VCID-n5y3-zhu1-aaag	https://security.archlinux.org/AVG-2771	36.0.0
2025-03-28T07:46:21.220381+00:00	Arch Linux Importer	Fixing	VCID-t7vm-psjb-aaaa	https://security.archlinux.org/AVG-2706	36.0.0
2025-03-28T07:46:21.201594+00:00	Arch Linux Importer	Fixing	VCID-fp8g-mu68-aaaj	https://security.archlinux.org/AVG-2706	36.0.0
2025-03-28T07:46:21.182797+00:00	Arch Linux Importer	Fixing	VCID-2p72-eh22-aaas	https://security.archlinux.org/AVG-2706	36.0.0
2025-03-28T07:46:21.164141+00:00	Arch Linux Importer	Fixing	VCID-sx32-s4fx-aaas	https://security.archlinux.org/AVG-2706	36.0.0
2025-03-28T07:46:21.145458+00:00	Arch Linux Importer	Fixing	VCID-nd5m-5pst-aaac	https://security.archlinux.org/AVG-2706	36.0.0
2025-03-28T07:46:21.126724+00:00	Arch Linux Importer	Fixing	VCID-zqyb-ahvr-aaaj	https://security.archlinux.org/AVG-2706	36.0.0
2024-12-10T11:03:52.843586+00:00	Arch Linux Importer	Affected by	VCID-vffj-n1n7-aaah	https://security.archlinux.org/AVG-2817	35.0.0
2024-12-10T11:03:52.251664+00:00	Arch Linux Importer	Affected by	VCID-nyr1-ne57-aaas	https://security.archlinux.org/AVG-2817	35.0.0
2024-12-10T11:03:51.543850+00:00	Arch Linux Importer	Affected by	VCID-66xg-3bn3-aaaj	https://security.archlinux.org/AVG-2817	35.0.0
2024-09-18T02:01:35.639295+00:00	Arch Linux Importer	Affected by	VCID-n5y3-zhu1-aaag	https://security.archlinux.org/AVG-2771	34.0.1
2024-09-18T02:01:35.197879+00:00	Arch Linux Importer	Fixing	VCID-t7vm-psjb-aaaa	https://security.archlinux.org/AVG-2706	34.0.1
2024-09-18T02:01:35.177933+00:00	Arch Linux Importer	Fixing	VCID-fp8g-mu68-aaaj	https://security.archlinux.org/AVG-2706	34.0.1
2024-09-18T02:01:35.153071+00:00	Arch Linux Importer	Fixing	VCID-2p72-eh22-aaas	https://security.archlinux.org/AVG-2706	34.0.1
2024-09-18T02:01:35.132308+00:00	Arch Linux Importer	Fixing	VCID-sx32-s4fx-aaas	https://security.archlinux.org/AVG-2706	34.0.1
2024-09-18T02:01:35.111412+00:00	Arch Linux Importer	Fixing	VCID-nd5m-5pst-aaac	https://security.archlinux.org/AVG-2706	34.0.1
2024-09-18T02:01:35.090045+00:00	Arch Linux Importer	Fixing	VCID-zqyb-ahvr-aaaj	https://security.archlinux.org/AVG-2706	34.0.1
2024-01-03T22:27:43.054971+00:00	Arch Linux Importer	Affected by	VCID-n5y3-zhu1-aaag	https://security.archlinux.org/AVG-2771	34.0.0rc1
2024-01-03T22:27:42.676325+00:00	Arch Linux Importer	Fixing	VCID-t7vm-psjb-aaaa	https://security.archlinux.org/AVG-2706	34.0.0rc1
2024-01-03T22:27:42.657441+00:00	Arch Linux Importer	Fixing	VCID-fp8g-mu68-aaaj	https://security.archlinux.org/AVG-2706	34.0.0rc1
2024-01-03T22:27:42.638383+00:00	Arch Linux Importer	Fixing	VCID-2p72-eh22-aaas	https://security.archlinux.org/AVG-2706	34.0.0rc1
2024-01-03T22:27:42.619258+00:00	Arch Linux Importer	Fixing	VCID-sx32-s4fx-aaas	https://security.archlinux.org/AVG-2706	34.0.0rc1
2024-01-03T22:27:42.600532+00:00	Arch Linux Importer	Fixing	VCID-nd5m-5pst-aaac	https://security.archlinux.org/AVG-2706	34.0.0rc1
2024-01-03T22:27:42.581527+00:00	Arch Linux Importer	Fixing	VCID-zqyb-ahvr-aaaj	https://security.archlinux.org/AVG-2706	34.0.0rc1
2024-01-03T22:25:27.392777+00:00	Arch Linux Importer	Affected by	VCID-vffj-n1n7-aaah	https://security.archlinux.org/AVG-2817	34.0.0rc1
2024-01-03T22:25:27.369464+00:00	Arch Linux Importer	Affected by	VCID-nyr1-ne57-aaas	https://security.archlinux.org/AVG-2817	34.0.0rc1
2024-01-03T22:25:27.345743+00:00	Arch Linux Importer	Affected by	VCID-66xg-3bn3-aaaj	https://security.archlinux.org/AVG-2817	34.0.0rc1

2025-03-28T07:46:21.547145+00:00

Arch Linux Importer

Affected by

VCID-n5y3-zhu1-aaag

https://security.archlinux.org/AVG-2771

36.0.0

2025-03-28T07:46:21.220381+00:00

Arch Linux Importer

Fixing

Next non-vulnerable version	7.84.0-1
Latest non-vulnerable version	8.14.1-1
Risk	4.4