9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-32221

GHSA ID

GHSA-grfr-78m7-q35q

EPSS Score

0.72333%

CWE

CWE-200

Published

12/6/2022

Updated

4/7/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-32221

CVE-2022-32221: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (...

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-32221

GHSA ID

GHSA-grfr-78m7-q35q

EPSS Score

0.72333%

CWE

CWE-200

Published

12/6/2022

Updated

4/7/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis started by examining the provided vulnerability description and reference URLs. The HackerOne report was particularly useful as it linked to a GitHub issue. Although the GitHub issue itself didn't directly contain commit SHAs, it provided context. The HackerOne report also mentioned that the fix was in curl version 7.86.0. By using get_repo_tags, I found the SHA for the curl-7_86_0 tag. To pinpoint the exact fixing commit, I compared this tag with the previous version's tag (curl-7_85_0) using compare_two_commits. This revealed a list of commits between the two versions. I identified the relevant commit (a64e3e59938abd7d667e4470a18072a24d7e9de9) by its commit message, which directly referenced the GitHub issue number associated with the vulnerability. get_commit_infos provided the diff for this commit, showing the modification in lib/setopt.c within the Curl_vsetopt function. The patch added data->set.upload = FALSE; when CURLOPT_POST is set, which is the core of the fix. Therefore, Curl_vsetopt is the vulnerable function as it contained the logic flaw that was corrected by the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *oin* *TTP(S) tr*ns**rs, li**url mi**t *rron*ously us* t** r*** **ll***k (`*URLOPT_R****UN*TION`) to *sk *or **t* to s*n*, *v*n w**n t** `*URLOPT_POST*I*L*S` option **s ***n s*t, i* t** s*m* **n*l* pr*viously w*s us** to issu* * `PUT` r*qu*st w*

Reasoning

T** *n*lysis st*rt** *y *x*minin* t** provi*** vuln*r**ility **s*ription *n* r***r*n** URLs. T** ***k*rOn* r*port w*s p*rti*ul*rly us**ul *s it link** to * *it*u* issu*. *lt*ou** t** *it*u* issu* its*l* *i*n't *ir**tly *ont*in *ommit S**s, it provi**

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-32221: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (...

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI