Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / CERTINFO never-ending busy-loop
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table

CVE-2022-27781

CERTINFO never-ending busy-loop

Project curl Security Advisory, May 11 2022 - Permalink

VULNERABILITY

libcurl provides the CURLOPT_CERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain.

Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.

INFO

This flaw was introduced in in curl 7.34.0 when libcurl added support for CURLOPT_CERTINFO using NSS.

This feature is not accessible from the command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-27781 to this issue.

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Severity: Low

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

SOLUTION

RECOMMENDATIONS

A - Upgrade curl to version 7.83.1

B - Apply the patch to your local version

C - Do not use the CURLOPT_CERTINFO option

TIMELINE

This issue was reported to the curl project on April 30, 2022. We contacted distros@openwall on May 5.

libcurl 7.83.1 was released on May 11 2022, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!