CURL-CVE-2022-32207
- Source
- https://curl.se/docs/CVE-2022-32207.html
- Import Source
- https://curl.se/docs/CURL-CVE-2022-32207.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2022-32207
- Aliases
- Published
- 2022-06-27T08:00:00Z
- Modified
- 2026-05-27T02:29:31.351331Z
- Summary
- Non-preserved file permissions
- Details
-
When curl saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target filename.
In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.
- Database specific
{ "www": "https://curl.se/docs/CVE-2022-32207.html", "CWE": { "id": "CWE-281", "desc": "Improper Preservation of Permissions" }, "severity": "Medium", "issue": "https://hackerone.com/reports/1573634", "last_affected": "7.83.1", "package": "curl", "URL": "https://curl.se/docs/CVE-2022-32207.json", "affects": "both", "award": { "currency": "USD", "amount": "2400" } }- References
-
- Credits
-
-
- Harry Sintonen - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.69.0Fixed7.84.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
Other
curl-7_69_0
curl-7_69_1
curl-7_70_0
curl-7_71_0
curl-7_71_1
curl-7_72_0
curl-7_73_0
curl-7_74_0
curl-7_75_0
curl-7_76_0
curl-7_76_1
curl-7_77_0
curl-7_78_0
curl-7_79_0
curl-7_79_1
curl-7_80_0
curl-7_81_0
curl-7_82_0
curl-7_83_0
curl-7_83_1
tiny-curl-7_72_0
Database specific
source
"https://curl.se/docs/CURL-CVE-2022-32207.json"
vanir_signatures_modified
"2026-05-27T02:29:31Z"
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/20f9dd6bae50b7223171b17ba7798946e74f877f",
"digest": {
"function_hash": "305870156830231985557133237636686356289",
"length": 1696.0
},
"id": "CURL-CVE-2022-32207-1a290351",
"deprecated": false,
"target": {
"file": "lib/cookie.c",
"function": "cookie_output"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/20f9dd6bae50b7223171b17ba7798946e74f877f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"19542152435248566348534121121404899133",
"161367172986192604655752474631591150973",
"310751673445772978523358360521802730802",
"4424874072028108703009431066093817851",
"187440963696661346408659508771285993647",
"302895510676315582129922617783820223302",
"135815602676182081692811014512791179341",
"330436315805160357036125107162565285681",
"193568821849953497900893711564012248332",
"246537596910753757772219533742246397862",
"117533370912079928344900381165105363760",
"170086517522843419575198603782172205566",
"141821886680241180494020230255407031868",
"94742408489309836486471842947633187974",
"328885262848515589541727135342267286078",
"215183553528032001964437814862826714404",
"129336455590798651885286212325919621165",
"126236476153916860056453326280829059280",
"13477195757736043971976616540328472352",
"105791471826809518909761125461019016874",
"323647520086621415914899601557635000029",
"58910070339272998776735321338979916801",
"216274372733572833682556657574977594210"
]
},
"id": "CURL-CVE-2022-32207-3458378d",
"deprecated": false,
"target": {
"file": "lib/cookie.c"
}
}
]