{
  "threat_severity" : "Moderate",
  "public_date" : "2022-06-27T00:00:00Z",
  "bugzilla" : {
    "description" : "curl: FTP-KRB bad message verification",
    "id" : "2099306",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2099306"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-924",
  "details" : [ "When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.", "A vulnerability was found in curl. This issue occurs because it mishandles message verification failures when curl does FTP transfers secured by krb5. This flaw makes it possible for a Man-in-the-middle attack to go unnoticed and allows data injection into the client." ],
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8840",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-curl-0:7.86.0-2.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8840",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-curl-0:7.86.0-2.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-08-24T00:00:00Z",
    "advisory" : "RHSA-2022:6159",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "curl-0:7.61.1-22.el8_6.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-08-24T00:00:00Z",
    "advisory" : "RHSA-2022:6157",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "curl-0:7.76.1-14.el9_0.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-08-24T00:00:00Z",
    "advisory" : "RHSA-2022:6157",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "curl-0:7.76.1-14.el9_0.5"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8841",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-curl"
  } ],
  "package_state" : [ {
    "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux",
    "fix_state" : "Out of support scope",
    "package_name" : "rh-dotnet31-curl",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "httpd24-curl",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-32208\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-32208\nhttps://curl.se/docs/CVE-2022-32208.html" ],
  "name" : "CVE-2022-32208",
  "csaw" : false
}