Bugzilla – Bug 1198614
VUL-1: CVE-2022-22576: curl: OAUTH2 bearer bypass in connection re-use
Last modified: 2024-04-15 15:00:51 UTC
oss-security: OAUTH2 bearer bypass in connection re-use ========================================= Project curl Security Advisory, April 27th 2022 - [Permalink](https://curl.se/docs/CVE-2022-22576.html) VULNERABILITY ------------- libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl maintains a pool of live connections after a transfer has completed (sometimes called the connection cache). This pool of connections is then gone through when a new transfer is requested and if there is a live connection available that can be reused, it is preferred instead of creating a new one. Due to this security vulnerability, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer could subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer. This could lead to an authentication bypass, either by mistake or by a malicious actor. We are not aware of any exploit of this flaw. INFO ---- This flaw was introduced in curl in 2013 with the commit series that started with [19a05c908f7d8b](https://github.com/curl/curl/commit/19a05c908f7d8b). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-22576 to this issue. CWE-305: Authentication Bypass by Primary Weakness Severity: Medium AFFECTED VERSIONS ----------------- - Affected versions: curl 7.33.0 to and including 7.82.0 - Not affected versions: curl < 7.33.0 and curl >= 7.83.0 Note that libcurl is used by many applications, but not always advertised as such. THE SOLUTION ------------ A [fix for CVE-2022-22576](https://github.com/curl/curl/commit/852aa5ad351ea53e5f) RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.83.0 B - Apply the patch to your version and rebuild C - Set the bearer string as password *as well* when using OAUTH2 bearer authentication with these protocols. TIME LINE --------- It was first reported to the curl project on March 18 2022. We contacted distros@openwall on April 18. libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory. CREDITS ------- Reported and patched by Patrick Monnerat. Thanks a lot!
SUSE-SU-2022:1657-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1198614,1198723,1198766 CVE References: CVE-2022-22576,CVE-2022-27775,CVE-2022-27776 JIRA References: Sources used: openSUSE Leap 15.3 (src): curl-7.66.0-150200.4.30.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): curl-7.66.0-150200.4.30.1 SUSE Linux Enterprise Micro 5.2 (src): curl-7.66.0-150200.4.30.1 SUSE Linux Enterprise Micro 5.1 (src): curl-7.66.0-150200.4.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1680-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1198614,1198766 CVE References: CVE-2022-22576,CVE-2022-27776 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): curl-7.60.0-11.37.1 SUSE Linux Enterprise Server 12-SP5 (src): curl-7.60.0-11.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done