CVE-2022-27779

Vulnerability

In libcurl's cookie engine, a rudimentary check exists to prevent cookies from being set on Top Level Domains (TLDs) when Public Suffix List (PSL) support is not enabled. This check is broken if the host name in the URL uses a trailing dot, allowing cookies to be set for TLDs. Affected versions are prior to 7.86.0 [1].

Exploitation

An attacker can craft a URL with a trailing dot in the host name (e.g., http://example.com./) and set a cookie for the TLD (e.g., .com). No authentication or special privileges are required; the attacker only needs to induce a user to visit the malicious URL. The cookie is then stored and subsequently sent to any other domain under the same TLD, including unrelated sites.

Impact

Successful exploitation allows an attacker to inject cookies that are sent to arbitrary domains sharing the same TLD. This can lead to session hijacking, cross-site request forgery, or other attacks that rely on cookie-based authentication or state, potentially compromising user data and application security.

Mitigation

Upgrade to curl version 7.86.0 or later, which contains the fix [1]. No known workaround exists for this vulnerability. Users of Gentoo Linux can follow the GLSA 202212-01 advisory to update to >=net-misc/curl-7.86.0.