CVE-2022-27780

ADVISORY - nist

Summary

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get transposed into http://example.com/127.0.0.1/. This flawcan be used to circumvent filters, checks and more.

EPSS Score⁠: 0.00125 (0.321)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-177⁠

Improper Handling of URL Encoding (Hex Encoding)

CWE-918⁠

Server-Side Request Forgery (SSRF)

ADVISORY - redhat

CWE-838⁠

Inappropriate Encoding for Output Context

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.