-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2022-27782 is about libcurl reusing connections even when TLS or SSH options changed. This means the core issue lies in the connection reuse logic, specifically how it checks if an existing connection matches the new request's requirements. The function ConnectionExists in lib/url.c is responsible for this check. The patch adds a new function ssh_config_matches and calls it within ConnectionExists to compare SSH-specific configurations. This indicates that ConnectionExists was previously vulnerable because it lacked this check, and ssh_config_matches was added as part of the fix. The vulnerability was introduced when SCP support was added. The commit 2147284cad introduced SCP support and the vulnerable ConnectionExists function. The commit 1645e9b4 fixed the vulnerability by adding the ssh_config_matches function and modifying ConnectionExists to use it. Therefore, ConnectionExists is the vulnerable function. The other functions modified in the fixing commit are either newly added helper functions (ssh_config_matches) or had minor changes not directly related to the vulnerability logic (e.g., copyright updates, comments).
Ongoing coverage of React2Shell