ID

VAR-202206-1961


CVE

CVE-2022-32208


TITLE

curl Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202206-2573

DESCRIPTION

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2099300 - CVE-2022-32206 curl: HTTP compression denial of service 2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification 6. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: RHACS 3.72 enhancement and security update Advisory ID: RHSA-2022:6714-01 Product: RHACS Advisory URL: https://access.redhat.com/errata/RHSA-2022:6714 Issue date: 2022-09-26 CVE Names: CVE-2015-20107 CVE-2022-0391 CVE-2022-1292 CVE-2022-1586 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-24675 CVE-2022-24921 CVE-2022-28327 CVE-2022-29154 CVE-2022-29526 CVE-2022-30631 CVE-2022-32206 CVE-2022-32208 CVE-2022-34903 ===================================================================== 1. Summary: Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes new features and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Release of RHACS 3.72 provides these changes: New features * Automatic removal of nonactive clusters from RHACS: RHACS provides the ability to configure your system to automatically remove nonactive clusters from RHACS so that you can monitor active clusters only. * Support for unauthenticated email integration: RHACS now supports unauthenticated SMTP for email integrations. This is insecure and not recommended. * Support for Quay robot accounts: RHACS now supports use of robot accounts in quay.io integrations. You can create robot accounts in Quay that allow you to share credentials for use in multiple repositories. * Ability to view Dockerfile lines in images that introduced components with Common Vulnerabilities and Exposures (CVEs): In the Images view, under Image Findings, you can view individual lines in the Dockerfile that introduced the components that have been identified as containing CVEs. * Network graph improvements: RHACS 3.72 includes some improvements to the Network Graph user interface. Known issue * RHACS shows the wrong severity when two severities exist for a single vulnerability in a single distribution. This issue occurs because RHACS scopes severities by namespace rather than component. There is no workaround. It is anticipated that an upcoming release will include a fix for this issue. (ROX-12527) Bug fixes * Before this update, the steps to configure OpenShift Container Platform OAuth for more than one URI were missing. The documentation has been revised to include instructions for configuring OAuth in OpenShift Container Platform to use more than one URI. For more information, see Creating additional routes for the OpenShift Container Platform OAuth server. (ROX-11296) * Before this update, the autogenerated image integration, such as a Docker registry integration, for a cluster is not deleted when the cluster is removed from Central. This issue is fixed. (ROX-9398) * Before this update, the Image OS policy criteria did not support regular expressions, or regex. However, the documentation indicated that regular expressions were supported. This issue is fixed by adding support for regular expressions for the Image OS policy criteria. (ROX-12301) * Before this update, the syslog integration did not respect a configured TCP proxy. This is now fixed. * Before this update, the scanner-db pod failed to start when a resource quota was set for the stackrox namespace, because the init-db container in the pod did not have any resources assigned to it. The init-db container for ScannerDB now specifies resource requests and limits that match the db container. (ROX-12291) Notable technical changes * Scanning support for Red Hat Enterprise Linux 9: RHEL 9 is now generally available (GA). RHACS 3.72 introduces support for analyzing images built with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux (RHEL) 9 RPMs for vulnerabilities. * Policy for CVEs with fixable CVSS of 6 or greater disabled by default: Beginning with this release, the Fixable CVSS >= 6 and Privileged policy is no longer enabled by default for new RHACS installations. The configuration of this policy is not changed when upgrading an existing system. A new policy Privileged Containers with Important and Critical Fixable CVEs, which gives an alert for containers running in privileged mode that have important or critical fixable vulnerabilities, has been added. Security Fix(es) * golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675) * golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) * golang: syscall: faccessat checks wrong group (CVE-2022-29526) * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To take advantage of the new features, bug fixes, and enhancements in RHACS 3.72 you are advised to upgrade to RHACS 3.72.0. 4. Bugs fixed (https://bugzilla.redhat.com/): 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. JIRA issues fixed (https://issues.jboss.org/): ROX-12799 - Release RHACS 3.72.0 6. References: https://access.redhat.com/security/cve/CVE-2015-20107 https://access.redhat.com/security/cve/CVE-2022-0391 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-24921 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-29526 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/updates/classification/#moderate https://docs.openshift.com/acs/3.72/release_notes/372-release-notes.html 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYzH0ItzjgjWX9erEAQg2Yg//fDLYNktH9vd06FrD5L77TeiYnD/Zx+f5 fk12roODKMOpcV6BmnOyPG0a6POCmhHn1Dn6bOT+7Awx0b9A9cXXDk6jytkpDhh7 O0OxzWZVVvSzNe1TL3WN9vwZqSpAYON8euLBEb16E8pmEv7vXKll3wMQIlctp6Nr ey6DLL718z8ghXbtkkcGsBQqElM4jESvGm5xByMymfRFktvy9LSgTi+Zc7FY7gXL AHitJZiSm57D/pwUHvNltLLkxQfVAGuJXaTHYFyeIi6Z2pdDySYAXcr60mVd6eSh 9/7qGwdsQARwmr174s0xMWRcns6UDvwIWifiXl6FUnTZFlia+lC3xIP1o2CXwoFP Fr7LpF0L9h5BapjSRv1w6qkkJIyJhw5v9VmZQoQ3joZqRQi0I6qLOcp92eik63pM i11ppoeDNwjpSST40Ema3j9PflzxXB7PKBUfKWwqNc2dnWDkiEhNaXOAZ7MqgdLo MB3enlKV4deeWOb5OA1Vlv/lAAJM0h5AOgTIBddYs3CDsyoK9fKm1UF/BEhcWMyr kV3AJ0/zzAK6ev4hQmP8Ug4SbdiHNdM3X1vgH54OVJ3Al3E1nAEyYmELNUITrvXV jJI5thbVwK78vOX9yWcmpZm879BnHnUPzGbS0lF5FVJOSZ8E7LvOE7lCM/dg094z 0riGwT9O9Ys= =hArw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. For more information about Submariner, see the Submariner open source community website at: https://submariner.io/. Clusters and applications are all visible and managed from a single console—with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/ Security fixes: * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629) * moment: inefficient parsing algorithim resulting in DoS (CVE-2022-31129) * nodejs16: CRLF injection in node-undici (CVE-2022-31150) * nodejs/undici: Cookie headers uncleared on cross-origin redirect (CVE-2022-31151) * vm2: Sandbox Escape in vm2 (CVE-2022-36067) Bug fixes: * RHACM 2.4 using deprecated APIs in managed clusters (BZ# 2041540) * vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes (BZ# 2074766) * cluster update status is stuck, also update is not even visible (BZ# 2079418) * Policy that creates cluster role is showing as not compliant due to Request entity too large message (BZ# 2088486) * Upgraded from RHACM 2.2-->2.3-->2.4 and cannot create cluster (BZ# 2089490) * ACM Console Becomes Unusable After a Time (BZ# 2097464) * RHACM 2.4.6 images (BZ# 2100613) * Cluster Pools with conflicting name of existing clusters in same namespace fails creation and deletes existing cluster (BZ# 2102436) * ManagedClusters in Pending import state after ACM hub migration (BZ# 2102495) 3. Bugs fixed (https://bugzilla.redhat.com/): 2041540 - RHACM 2.4 using deprecated APIs in managed clusters 2074766 - vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes 2079418 - cluster update status is stuck, also update is not even visible 2088486 - Policy that creates cluster role is showing as not compliant due to Request entity too large message 2089490 - Upgraded from RHACM 2.2-->2.3-->2.4 and cannot create cluster 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2097464 - ACM Console Becomes Unusable After a Time 2100613 - RHACM 2.4.6 images 2102436 - Cluster Pools with conflicting name of existing clusters in same namespace fails creation and deletes existing cluster 2102495 - ManagedClusters in Pending import state after ACM hub migration 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2109354 - CVE-2022-31150 nodejs16: CRLF injection in node-undici 2121396 - CVE-2022-31151 nodejs/undici: Cookie headers uncleared on cross-origin redirect 2124794 - CVE-2022-36067 vm2: Sandbox Escape in vm2 5. ========================================================================== Ubuntu Security Notice USN-5495-1 June 27, 2022 curl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 21.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in curl. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 21.10, and Ubuntu 22.04 LTS. (CVE-2022-32205) Harry Sintonen discovered that curl incorrectly handled certain HTTP compressions. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-32206) Harry Sintonen incorrectly handled certain file permissions. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 21.10, and Ubuntu 22.04 LTS. (CVE-2022-32207) Harry Sintonen discovered that curl incorrectly handled certain FTP-KRB messages. An attacker could possibly use this to perform a machine-in-the-diddle attack. (CVE-2022-32208) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: curl 7.81.0-1ubuntu1.3 libcurl3-gnutls 7.81.0-1ubuntu1.3 libcurl3-nss 7.81.0-1ubuntu1.3 libcurl4 7.81.0-1ubuntu1.3 Ubuntu 21.10: curl 7.74.0-1.3ubuntu2.3 libcurl3-gnutls 7.74.0-1.3ubuntu2.3 libcurl3-nss 7.74.0-1.3ubuntu2.3 libcurl4 7.74.0-1.3ubuntu2.3 Ubuntu 20.04 LTS: curl 7.68.0-1ubuntu2.12 libcurl3-gnutls 7.68.0-1ubuntu2.12 libcurl3-nss 7.68.0-1ubuntu2.12 libcurl4 7.68.0-1ubuntu2.12 Ubuntu 18.04 LTS: curl 7.58.0-2ubuntu3.19 libcurl3-gnutls 7.58.0-2ubuntu3.19 libcurl3-nss 7.58.0-2ubuntu3.19 libcurl4 7.58.0-2ubuntu3.19 In general, a standard system update will make all the necessary changes. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Bug Fix(es): * Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api (BZ#2033191) * Restart of VM Pod causes SSH keys to be regenerated within VM (BZ#2087177) * Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR (BZ#2089391) * [4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass (BZ#2098225) * Fedora version in DataImportCrons is not 'latest' (BZ#2102694) * [4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted (BZ#2109407) * CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls (BZ#2110562) * Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based (BZ#2112643) * Unable to start windows VMs on PSI setups (BZ#2115371) * [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 (BZ#2128997) * Mark Windows 11 as TechPreview (BZ#2129013) * 4.11.1 rpms (BZ#2139453) This advisory contains the following OpenShift Virtualization 4.11.1 images. RHEL-8-CNV-4.11 virt-cdi-operator-container-v4.11.1-5 virt-cdi-uploadserver-container-v4.11.1-5 virt-cdi-apiserver-container-v4.11.1-5 virt-cdi-importer-container-v4.11.1-5 virt-cdi-controller-container-v4.11.1-5 virt-cdi-cloner-container-v4.11.1-5 virt-cdi-uploadproxy-container-v4.11.1-5 checkup-framework-container-v4.11.1-3 kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.1-7 kubevirt-tekton-tasks-create-datavolume-container-v4.11.1-7 kubevirt-template-validator-container-v4.11.1-4 virt-handler-container-v4.11.1-5 hostpath-provisioner-operator-container-v4.11.1-4 virt-api-container-v4.11.1-5 vm-network-latency-checkup-container-v4.11.1-3 cluster-network-addons-operator-container-v4.11.1-5 virtio-win-container-v4.11.1-4 virt-launcher-container-v4.11.1-5 ovs-cni-marker-container-v4.11.1-5 hyperconverged-cluster-webhook-container-v4.11.1-7 virt-controller-container-v4.11.1-5 virt-artifacts-server-container-v4.11.1-5 kubevirt-tekton-tasks-modify-vm-template-container-v4.11.1-7 kubevirt-tekton-tasks-disk-virt-customize-container-v4.11.1-7 libguestfs-tools-container-v4.11.1-5 hostpath-provisioner-container-v4.11.1-4 kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.1-7 kubevirt-tekton-tasks-copy-template-container-v4.11.1-7 cnv-containernetworking-plugins-container-v4.11.1-5 bridge-marker-container-v4.11.1-5 virt-operator-container-v4.11.1-5 hostpath-csi-driver-container-v4.11.1-4 kubevirt-tekton-tasks-create-vm-from-template-container-v4.11.1-7 kubemacpool-container-v4.11.1-5 hyperconverged-cluster-operator-container-v4.11.1-7 kubevirt-ssp-operator-container-v4.11.1-4 ovs-cni-plugin-container-v4.11.1-5 kubevirt-tekton-tasks-cleanup-vm-container-v4.11.1-7 kubevirt-tekton-tasks-operator-container-v4.11.1-2 cnv-must-gather-container-v4.11.1-8 kubevirt-console-plugin-container-v4.11.1-9 hco-bundle-registry-container-v4.11.1-49 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 2033191 - Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression 2070772 - When specifying pciAddress for several SR-IOV NIC they are not correctly propagated to libvirt XML 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2087177 - Restart of VM Pod causes SSH keys to be regenerated within VM 2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR 2091856 - ?Edit BootSource? action should have more explicit information when disabled 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2098225 - [4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2102694 - Fedora version in DataImportCrons is not 'latest' 2109407 - [4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted 2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls 2112643 - Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based 2115371 - Unable to start windows VMs on PSI setups 2119613 - GiB changes to B in Template's Edit boot source reference modal 2128554 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass 2128872 - [4.11]Can't restore cloned VM 2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 2129013 - Mark Windows 11 as TechPreview 2129235 - [RFE] Add "Copy SSH command" to VM action list 2134668 - Cannot edit ssh even vm is stopped 2139453 - 4.11.1 rpms 5

Trust: 1.62

sources: NVD: CVE-2022-32208 // VULHUB: VHN-424135 // PACKETSTORM: 168158 // PACKETSTORM: 168516 // PACKETSTORM: 168265 // PACKETSTORM: 168538 // PACKETSTORM: 167661 // PACKETSTORM: 167607 // PACKETSTORM: 170083

AFFECTED PRODUCTS

vendor:netappmodel:h300sscope:eqversion: -

Trust: 1.0

vendor:netappmodel:h410sscope:eqversion: -

Trust: 1.0

vendor:netappmodel:solidfirescope:eqversion: -

Trust: 1.0

vendor:netappmodel:bootstrap osscope:eqversion: -

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:eqversion:9.1.0

Trust: 1.0

vendor:netappmodel:h700sscope:eqversion: -

Trust: 1.0

vendor:netappmodel:element softwarescope:eqversion: -

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:ltversion:8.2.12

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:35

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:11.0

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:ltversion:9.0.6

Trust: 1.0

vendor:applemodel:macosscope:ltversion:13.0

Trust: 1.0

vendor:haxxmodel:curlscope:ltversion:7.84.0

Trust: 1.0

vendor:haxxmodel:curlscope:gteversion:7.16.4

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:gteversion:9.0.0

Trust: 1.0

vendor:netappmodel:hci management nodescope:eqversion: -

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:netappmodel:clustered data ontapscope:eqversion: -

Trust: 1.0

vendor:netappmodel:h500sscope:eqversion: -

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:gteversion:8.2.0

Trust: 1.0

sources: NVD: CVE-2022-32208

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-32208
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202206-2573
value: MEDIUM

Trust: 0.6

VULHUB: VHN-424135
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-32208
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-424135
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-32208
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-424135 // CNNVD: CNNVD-202206-2573 // NVD: CVE-2022-32208

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.1

problemtype:CWE-840

Trust: 1.0

sources: VULHUB: VHN-424135 // NVD: CVE-2022-32208

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 167661 // CNNVD: CNNVD-202206-2573

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202206-2573

PATCH

title:curl Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=199974

Trust: 0.6

sources: CNNVD: CNNVD-202206-2573

EXTERNAL IDS

db:NVDid:CVE-2022-32208

Trust: 2.4

db:HACKERONEid:1590071

Trust: 1.7

db:PACKETSTORMid:167661

Trust: 0.8

db:PACKETSTORMid:167607

Trust: 0.8

db:PACKETSTORMid:168284

Trust: 0.7

db:PACKETSTORMid:168174

Trust: 0.7

db:PACKETSTORMid:168503

Trust: 0.7

db:PACKETSTORMid:168378

Trust: 0.7

db:PACKETSTORMid:168347

Trust: 0.7

db:PACKETSTORMid:168301

Trust: 0.7

db:PACKETSTORMid:170166

Trust: 0.6

db:AUSCERTid:ESB-2022.3366

Trust: 0.6

db:AUSCERTid:ESB-2022.6333

Trust: 0.6

db:AUSCERTid:ESB-2023.3732

Trust: 0.6

db:AUSCERTid:ESB-2022.6290

Trust: 0.6

db:AUSCERTid:ESB-2022.4468

Trust: 0.6

db:AUSCERTid:ESB-2022.4757

Trust: 0.6

db:AUSCERTid:ESB-2023.3143

Trust: 0.6

db:AUSCERTid:ESB-2022.4324

Trust: 0.6

db:AUSCERTid:ESB-2022.5247

Trust: 0.6

db:AUSCERTid:ESB-2022.4266

Trust: 0.6

db:AUSCERTid:ESB-2022.4112

Trust: 0.6

db:AUSCERTid:ESB-2022.3117

Trust: 0.6

db:AUSCERTid:ESB-2022.5300

Trust: 0.6

db:AUSCERTid:ESB-2023.2163

Trust: 0.6

db:AUSCERTid:ESB-2022.4525

Trust: 0.6

db:AUSCERTid:ESB-2022.4568

Trust: 0.6

db:CS-HELPid:SB2022071168

Trust: 0.6

db:CS-HELPid:SB2022062927

Trust: 0.6

db:CS-HELPid:SB2022070101

Trust: 0.6

db:CNNVDid:CNNVD-202206-2573

Trust: 0.6

db:PACKETSTORMid:168158

Trust: 0.2

db:PACKETSTORMid:168275

Trust: 0.1

db:PACKETSTORMid:168289

Trust: 0.1

db:VULHUBid:VHN-424135

Trust: 0.1

db:PACKETSTORMid:168516

Trust: 0.1

db:PACKETSTORMid:168265

Trust: 0.1

db:PACKETSTORMid:168538

Trust: 0.1

db:PACKETSTORMid:170083

Trust: 0.1

sources: VULHUB: VHN-424135 // PACKETSTORM: 168158 // PACKETSTORM: 168516 // PACKETSTORM: 168265 // PACKETSTORM: 168538 // PACKETSTORM: 167661 // PACKETSTORM: 167607 // PACKETSTORM: 170083 // CNNVD: CNNVD-202206-2573 // NVD: CVE-2022-32208

REFERENCES

url:https://security.netapp.com/advisory/ntap-20220915-0003/

Trust: 1.7

url:https://support.apple.com/kb/ht213488

Trust: 1.7

url:https://www.debian.org/security/2022/dsa-5197

Trust: 1.7

url:http://seclists.org/fulldisclosure/2022/oct/28

Trust: 1.7

url:http://seclists.org/fulldisclosure/2022/oct/41

Trust: 1.7

url:https://security.gentoo.org/glsa/202212-01

Trust: 1.7

url:https://hackerone.com/reports/1590071

Trust: 1.7

url:https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Trust: 1.7

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/bev6br4mti3cewk2yu2hqzuw5fas3fey/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/bev6br4mti3cewk2yu2hqzuw5fas3fey/

Trust: 0.7

url:https://www.cybersecurity-help.cz/vdb/sb2022071168

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3143

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062927

Trust: 0.6

url:https://support.apple.com/en-us/ht213488

Trust: 0.6

url:https://packetstormsecurity.com/files/168347/red-hat-security-advisory-2022-6422-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.6290

Trust: 0.6

url:https://vigilance.fr/vulnerability/curl-man-in-the-middle-via-ftp-krb-message-verification-38673

Trust: 0.6

url:https://packetstormsecurity.com/files/168301/red-hat-security-advisory-2022-6287-01.html

Trust: 0.6

url:https://packetstormsecurity.com/files/168174/red-hat-security-advisory-2022-6157-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4112

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5300

Trust: 0.6

url:https://packetstormsecurity.com/files/170166/red-hat-security-advisory-2022-8840-01.html

Trust: 0.6

url:https://packetstormsecurity.com/files/168378/red-hat-security-advisory-2022-6507-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5247

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.6333

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3366

Trust: 0.6

url:https://packetstormsecurity.com/files/168503/red-hat-security-advisory-2022-6560-01.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022070101

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4757

Trust: 0.6

url:https://packetstormsecurity.com/files/167607/ubuntu-security-notice-usn-5495-1.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.2163

Trust: 0.6

url:https://packetstormsecurity.com/files/167661/ubuntu-security-notice-usn-5499-1.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3732

Trust: 0.6

url:https://packetstormsecurity.com/files/168284/red-hat-security-advisory-2022-6183-01.html

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-32208/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4266

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4468

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4324

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4525

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3117

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4568

Trust: 0.6

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2022-32206

Trust: 0.5

url:https://access.redhat.com/security/team/contact/

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2022-32208

Trust: 0.5

url:https://bugzilla.redhat.com/):

Trust: 0.5

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2022-2097

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-1292

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2022-1292

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2022-1586

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2022-2068

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-1586

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-32208

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-0391

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-20107

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-2068

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-1897

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2015-20107

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-2097

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-1785

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-1785

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-1897

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-1927

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-0391

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-34903

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-29154

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-30629

Trust: 0.3

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32206

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-28327

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-24921

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-1927

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-30631

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-24675

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-25314

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-38561

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-40528

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-25313

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-40528

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-2526

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-29824

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-38561

Trust: 0.2

url:https://access.redhat.com/security/team/key/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:6159

Trust: 0.1

url:https://issues.jboss.org/):

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:6714

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-29526

Trust: 0.1

url:https://docs.openshift.com/acs/3.72/release_notes/372-release-notes.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-29526

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-24921

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-28327

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-24675

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-29154

Trust: 0.1

url:https://submariner.io/getting-started/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:6346

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-32148

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1962

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-30630

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-30635

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1705

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-29824

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-28131

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2526

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-25314

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-28131

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-30633

Trust: 0.1

url:https://submariner.io/.

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-30632

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-30629

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1705

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-25313

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/add-ons/submariner#submariner-deploy-console

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1962

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-28915

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-27782

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1729

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:6696

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-21123

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#critical

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-32250

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-31150

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-27776

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-28915

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-21123

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-21166

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-36067

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-21125

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22576

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1729

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-27666

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1012

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-27774

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1012

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-31129

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-31151

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-27781

Trust: 0.1

url:https://ubuntu.com/security/notices/usn-5499-1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32205

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.74.0-1.3ubuntu2.3

Trust: 0.1

url:https://ubuntu.com/security/notices/usn-5495-1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32207

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.12

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.19

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-0308

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-3709

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1304

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-26700

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-26716

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-26710

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-2509

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-38177

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-0308

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22629

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-26719

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25309

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-30698

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-30699

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-0256

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-26717

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22662

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-27404

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-3709

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1304

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-0256

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25310

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22624

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-3515

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-35525

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-40674

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24795

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:8750

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-37434

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-38178

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25308

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-27406

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-35525

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-35527

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0934

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-26709

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22628

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-27405

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0934

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-35527

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-30293

Trust: 0.1

sources: VULHUB: VHN-424135 // PACKETSTORM: 168158 // PACKETSTORM: 168516 // PACKETSTORM: 168265 // PACKETSTORM: 168538 // PACKETSTORM: 167661 // PACKETSTORM: 167607 // PACKETSTORM: 170083 // CNNVD: CNNVD-202206-2573 // NVD: CVE-2022-32208

CREDITS

Red Hat

Trust: 0.5

sources: PACKETSTORM: 168158 // PACKETSTORM: 168516 // PACKETSTORM: 168265 // PACKETSTORM: 168538 // PACKETSTORM: 170083

SOURCES

db:VULHUBid:VHN-424135
db:PACKETSTORMid:168158
db:PACKETSTORMid:168516
db:PACKETSTORMid:168265
db:PACKETSTORMid:168538
db:PACKETSTORMid:167661
db:PACKETSTORMid:167607
db:PACKETSTORMid:170083
db:CNNVDid:CNNVD-202206-2573
db:NVDid:CVE-2022-32208

LAST UPDATE DATE

2024-11-11T22:38:34.722000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-424135date:2023-01-05T00:00:00
db:CNNVDid:CNNVD-202206-2573date:2023-06-30T00:00:00
db:NVDid:CVE-2022-32208date:2024-03-27T15:00:41.657

SOURCES RELEASE DATE

db:VULHUBid:VHN-424135date:2022-07-07T00:00:00
db:PACKETSTORMid:168158date:2022-08-25T15:25:12
db:PACKETSTORMid:168516date:2022-09-27T15:41:11
db:PACKETSTORMid:168265date:2022-09-07T16:37:33
db:PACKETSTORMid:168538date:2022-09-27T16:01:00
db:PACKETSTORMid:167661date:2022-07-01T14:59:23
db:PACKETSTORMid:167607date:2022-06-28T15:26:16
db:PACKETSTORMid:170083date:2022-12-02T15:57:08
db:CNNVDid:CNNVD-202206-2573date:2022-06-27T00:00:00
db:NVDid:CVE-2022-32208date:2022-07-07T13:15:08.467