CVE-2022-32207

Name
CVE-2022-32207
Description
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://hackerone.com/reports/1573634
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
Third Party Advisory https://www.debian.org/security/2022/dsa-5197
Third Party Advisory https://security.netapp.com/advisory/ntap-20220915-0003/
Third Party Advisory https://support.apple.com/kb/HT213488
Third Party Advisory http://seclists.org/fulldisclosure/2022/Oct/41
Mailing List http://seclists.org/fulldisclosure/2022/Oct/28
Third Party Advisory https://security.gentoo.org/glsa/202212-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* curl >= None < 7.84.0
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* curl >= 7.69.0 < 7.84.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
curl 3.13-main 7.79.1-r3 Natanael Copa <ncopa@alpinelinux.org> fixed