{ "threat_severity" : "Moderate", "public_date" : "2022-06-27T00:00:00Z", "bugzilla" : { "description" : "curl: HTTP compression denial of service", "id" : "2099300", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2099300" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "curl < 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.", "A vulnerability was found in curl. This issue occurs because the number of acceptable \"links\" in the \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. This flaw leads to a denial of service, either by mistake or by a malicious actor." ], "affected_release" : [ { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-12-08T00:00:00Z", "advisory" : "RHSA-2022:8840", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-curl-0:7.86.0-2.el8jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-12-08T00:00:00Z", "advisory" : "RHSA-2022:8840", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:7.86.0-2.el7jbcs" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-08-24T00:00:00Z", "advisory" : "RHSA-2022:6159", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "curl-0:7.61.1-22.el8_6.4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2023-06-06T00:00:00Z", "advisory" : "RHSA-2023:3460", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "curl-0:7.61.1-18.el8_4.3" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date" : "2023-06-06T00:00:00Z", "advisory" : "RHSA-2023:3460", "cpe" : "cpe:/o:redhat:rhel_tus:8.4", "package" : "curl-0:7.61.1-18.el8_4.3" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date" : "2023-06-06T00:00:00Z", "advisory" : "RHSA-2023:3460", "cpe" : "cpe:/o:redhat:rhel_e4s:8.4", "package" : "curl-0:7.61.1-18.el8_4.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-08-24T00:00:00Z", "advisory" : "RHSA-2022:6157", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "curl-0:7.76.1-14.el9_0.5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-08-24T00:00:00Z", "advisory" : "RHSA-2022:6157", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "curl-0:7.76.1-14.el9_0.5" }, { "product_name" : "Text-Only JBCS", "release_date" : "2022-12-08T00:00:00Z", "advisory" : "RHSA-2022:8841", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "jbcs-httpd24-curl" } ], "package_state" : [ { "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux", "fix_state" : "Out of support scope", "package_name" : "rh-dotnet31-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "httpd24-curl", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-32206\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-32206\nhttps://curl.se/docs/CVE-2022-32206.html" ], "name" : "CVE-2022-32206", "csaw" : false }