Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2022-35260

Public on 2022-11-08
Modified on 2024-02-01
Description

curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

Severity
Low
See what this means
CVSS v3 Base Score
5.3
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core curl 2022-12-01 20:31 ALAS2-2022-1882
Amazon Linux 2023 curl 2023-02-17 20:47 ALAS2023-2023-083

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2022-35260 Mitre: CVE-2022-35260 FAQs regarding Amazon Linux ALAS/CVE Severity