Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-32205

Good to know:

icon

Date: July 7, 2022

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

Language: C

Severity Score

Related Resources (15)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
https://support.apple.com/kb/HT213488
https://people.canonical.com/~ubuntu-security/cve/CVE-2022-32205
https://security.netapp.com/advisory/ntap-20220915-0003/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/41
https://security.gentoo.org/glsa/202212-01
https://nvd.nist.gov/vuln/detail/CVE-2022-32205
https://security.alpinelinux.org/vuln/CVE-2022-32205
https://www.debian.org/security/2022/dsa-5197
https://security-tracker.debian.org/tracker/CVE-2022-32205
https://hackerone.com/reports/1569946
https://www.mend.io/vulnerability-database/CVE-2022-32205

Severity Score

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

icon

Upgrade Version

Upgrade to version curl-7_71_0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us