CURL-CVE-2022-32207

Source
https://curl.se/docs/CVE-2022-32207.html
Import Source
https://curl.se/docs/CURL-CVE-2022-32207.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2022-32207
Aliases
Published
2022-06-27T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
Non-preserved file permissions
Details

When curl saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target filename.

In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.

References
Credits
    • Harry Sintonen - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.69.0
Fixed
7.84.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1