CURL-CVE-2022-22576
- Source
- https://curl.se/docs/CVE-2022-22576.html
- Import Source
- https://curl.se/docs/CURL-CVE-2022-22576.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2022-22576
- Aliases
- Published
- 2022-04-27T08:00:00Z
- Modified
- 2025-09-27T10:58:29Z
- Summary
- OAUTH2 bearer bypass in connection reuse
- Details
-
libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMTP(S), IMAP(S), POP3(S) and LDAP(S) (OpenLDAP only).
libcurl maintains a pool of live connections after a transfer has completed (sometimes called the connection cache). This pool of connections is then gone through when a new transfer is requested and if there is a live connection available that can be reused, it is preferred instead of creating a new one.
Due to this security vulnerability, a connection that is successfully created and authenticated with a username + OAUTH2 bearer could subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer. This could lead to an authentication bypass, either by mistake or by a malicious actor.
- Database specific
{ "award": { "currency": "USD", "amount": "2400" }, "issue": "https://hackerone.com/reports/1526328", "severity": "Medium", "affects": "both", "CWE": { "desc": "Authentication Bypass by Primary Weakness", "id": "CWE-305" }, "www": "https://curl.se/docs/CVE-2022-22576.html", "package": "curl", "last_affected": "7.82.0", "URL": "https://curl.se/docs/CVE-2022-22576.json" }- References
-
- Credits
-
-
- Patrick Monnerat - FINDER
-
- Patrick Monnerat - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.33.0Fixed7.83.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events