CVE-2022-27776

Vulnerability

CVE-2022-27776 is an insufficiently protected credentials vulnerability in curl versions prior to 7.83.0. When curl follows an HTTP redirect to the same hostname but a different port number, it may leak authentication or cookie header data that were intended only for the original port. This occurs because the credential scope is tied to the hostname alone, not the combination of hostname and port. The issue affects all curl versions before 7.83.0 [3].

Exploitation

An attacker can exploit this flaw by setting up a malicious or compromised server that redirects a client request to another service on the same host but on a different port (e.g., from port 443 to port 8080). If the client application uses curl to handle the redirect with credential forwarding enabled, curl will automatically send the original authentication headers or cookies to the new destination, regardless of the port change. No special privileges or user interaction beyond making a request to the malicious server is required.

Impact

Successful exploitation allows the attacker to obtain sensitive credentials (such as HTTP Basic auth tokens or cookies) that were originally intended for a specific service on one port. These credentials can then be used to impersonate the victim or access protected resources on the different port, leading to unauthorized information disclosure or privilege escalation on that service.

Mitigation

The vulnerability is fixed in curl version 7.83.0 [3]. All users should upgrade to this release or later (the Gentoo advisory recommends version 7.86.0 [3]). No known workarounds are documented for versions that remain unpatched; disabling automatic redirect following or manually verifying redirect targets could mitigate exploitation in specific scenarios.