Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / OAUTH2 bearer bypass in connection re-use
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 2400 USD

CVE-2022-22576

OAUTH2 bearer bypass in connection re-use

Project curl Security Advisory, April 27th 2022 - Permalink

VULNERABILITY

libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMTP(S), IMAP(S), POP3(S) and LDAP(S) (OpenLDAP only).

libcurl maintains a pool of live connections after a transfer has completed (sometimes called the connection cache). This pool of connections is then gone through when a new transfer is requested and if there is a live connection available that can be reused, it is preferred instead of creating a new one.

Due to this security vulnerability, a connection that is successfully created and authenticated with a username + OAUTH2 bearer could subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer. This could lead to an authentication bypass, either by mistake or by a malicious actor.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-22576 to this issue.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Medium

AFFECTED VERSIONS

Note that libcurl is used by many applications, but not always advertised as such.

SOLUTION

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 7.83.0

B - Apply the patch to your version and rebuild

C - Set the bearer string as password as well when using OAUTH2 bearer authentication with these protocols.

TIMELINE

It was first reported to the curl project on March 18 2022. We contacted distros@openwall on April 18.

libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!