{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"MEDIUM" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"A vulnerability was found in curl. The issue occurs if curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL. It sets up the connection to the remote server by issuing a `CONNECT` request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free issue in curl if using one of the following schemes in the URL for the transfer: `dict,` `gopher,` `gophers,` `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet.`", "category":"general", "title":"Synopsis" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42915" }, { "summary":"CVE-2022-42915 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2022/csaf-openeuler-cve-2022-42915.json" }, { "summary":"openEuler-SA-2022-2041", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2041" }, { "summary":"CVE-2022-42915", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-42915&packageName=curl" } ], "title":"openEuler cve CVE-2022-42915", "tracking":{ "initial_release_date":"2022-11-04T09:48:52+08:00", "revision_history":[ { "date":"2022-11-04T09:48:52+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:48:52+08:00", "summary":"Current version", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:48:52+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:48:52+08:00", "id":"CVE-2022-42915", "version":"2.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"openEuler-22.03-LTS", "name":"openEuler-22.03-LTS" }, "name":"openEuler-22.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"curl-7.79.1-12.oe2203.aarch64.rpm", "name":"curl-7.79.1-12.oe2203.aarch64.rpm" }, "name":"curl-7.79.1-12.oe2203.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"libcurl-devel-7.79.1-12.oe2203.aarch64.rpm", "name":"libcurl-devel-7.79.1-12.oe2203.aarch64.rpm" }, "name":"libcurl-devel-7.79.1-12.oe2203.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"curl-debuginfo-7.79.1-12.oe2203.aarch64.rpm", "name":"curl-debuginfo-7.79.1-12.oe2203.aarch64.rpm" }, "name":"curl-debuginfo-7.79.1-12.oe2203.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"libcurl-7.79.1-12.oe2203.aarch64.rpm", "name":"libcurl-7.79.1-12.oe2203.aarch64.rpm" }, "name":"libcurl-7.79.1-12.oe2203.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"curl-debugsource-7.79.1-12.oe2203.aarch64.rpm", "name":"curl-debugsource-7.79.1-12.oe2203.aarch64.rpm" }, "name":"curl-debugsource-7.79.1-12.oe2203.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"curl-help-7.79.1-12.oe2203.noarch.rpm", "name":"curl-help-7.79.1-12.oe2203.noarch.rpm" }, "name":"curl-help-7.79.1-12.oe2203.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"curl-7.79.1-12.oe2203.src.rpm", "name":"curl-7.79.1-12.oe2203.src.rpm" }, "name":"curl-7.79.1-12.oe2203.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"curl-debugsource-7.79.1-12.oe2203.x86_64.rpm", "name":"curl-debugsource-7.79.1-12.oe2203.x86_64.rpm" }, "name":"curl-debugsource-7.79.1-12.oe2203.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"libcurl-7.79.1-12.oe2203.x86_64.rpm", "name":"libcurl-7.79.1-12.oe2203.x86_64.rpm" }, "name":"libcurl-7.79.1-12.oe2203.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"libcurl-devel-7.79.1-12.oe2203.x86_64.rpm", "name":"libcurl-devel-7.79.1-12.oe2203.x86_64.rpm" }, "name":"libcurl-devel-7.79.1-12.oe2203.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"curl-debuginfo-7.79.1-12.oe2203.x86_64.rpm", "name":"curl-debuginfo-7.79.1-12.oe2203.x86_64.rpm" }, "name":"curl-debuginfo-7.79.1-12.oe2203.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"curl-7.79.1-12.oe2203.x86_64.rpm", "name":"curl-7.79.1-12.oe2203.x86_64.rpm" }, "name":"curl-7.79.1-12.oe2203.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"curl-7.79.1-12.oe2203.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:curl-7.79.1-12.oe2203.aarch64", "name":"curl-7.79.1-12.oe2203.aarch64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"libcurl-devel-7.79.1-12.oe2203.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:libcurl-devel-7.79.1-12.oe2203.aarch64", "name":"libcurl-devel-7.79.1-12.oe2203.aarch64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"curl-debuginfo-7.79.1-12.oe2203.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:curl-debuginfo-7.79.1-12.oe2203.aarch64", "name":"curl-debuginfo-7.79.1-12.oe2203.aarch64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"libcurl-7.79.1-12.oe2203.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:libcurl-7.79.1-12.oe2203.aarch64", "name":"libcurl-7.79.1-12.oe2203.aarch64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"curl-debugsource-7.79.1-12.oe2203.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:curl-debugsource-7.79.1-12.oe2203.aarch64", "name":"curl-debugsource-7.79.1-12.oe2203.aarch64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"curl-help-7.79.1-12.oe2203.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:curl-help-7.79.1-12.oe2203.noarch", "name":"curl-help-7.79.1-12.oe2203.noarch as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"curl-7.79.1-12.oe2203.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:curl-7.79.1-12.oe2203.src", "name":"curl-7.79.1-12.oe2203.src as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"curl-debugsource-7.79.1-12.oe2203.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:curl-debugsource-7.79.1-12.oe2203.x86_64", "name":"curl-debugsource-7.79.1-12.oe2203.x86_64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"libcurl-7.79.1-12.oe2203.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:libcurl-7.79.1-12.oe2203.x86_64", "name":"libcurl-7.79.1-12.oe2203.x86_64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"libcurl-devel-7.79.1-12.oe2203.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:libcurl-devel-7.79.1-12.oe2203.x86_64", "name":"libcurl-devel-7.79.1-12.oe2203.x86_64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"curl-debuginfo-7.79.1-12.oe2203.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:curl-debuginfo-7.79.1-12.oe2203.x86_64", "name":"curl-debuginfo-7.79.1-12.oe2203.x86_64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"curl-7.79.1-12.oe2203.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:curl-7.79.1-12.oe2203.x86_64", "name":"curl-7.79.1-12.oe2203.x86_64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-42915", "notes":[ { "text":"A vulnerability was found in curl. The issue occurs if curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL. It sets up the connection to the remote server by issuing a `CONNECT` request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free issue in curl if using one of the following schemes in the URL for the transfer: `dict,` `gopher,` `gophers,` `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet.`", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:libcurl-devel-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-debuginfo-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:libcurl-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-debugsource-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-help-7.79.1-12.oe2203.noarch", "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.src", "openEuler-22.03-LTS:curl-debugsource-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:libcurl-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:libcurl-devel-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:curl-debuginfo-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:libcurl-devel-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-debuginfo-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:libcurl-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-debugsource-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-help-7.79.1-12.oe2203.noarch", "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.src", "openEuler-22.03-LTS:curl-debugsource-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:libcurl-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:libcurl-devel-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:curl-debuginfo-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.x86_64" ], "details":"curl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2041" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:libcurl-devel-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-debuginfo-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:libcurl-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-debugsource-7.79.1-12.oe2203.aarch64", "openEuler-22.03-LTS:curl-help-7.79.1-12.oe2203.noarch", "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.src", "openEuler-22.03-LTS:curl-debugsource-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:libcurl-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:libcurl-devel-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:curl-debuginfo-7.79.1-12.oe2203.x86_64", "openEuler-22.03-LTS:curl-7.79.1-12.oe2203.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2022-42915" } ] }