CVE-2022-30115

Vulnerability

A flaw in curl's HSTS handling allows an HSTS bypass when there is a mismatch in the use of a trailing dot (.) between the URL hostname and the HSTS cache entry. If the URL contains a trailing dot but the HSTS entry does not, or vice versa, the HSTS policy is not applied and curl falls back to plain HTTP [1][2]. The affected versions are all curl releases with HSTS support prior to the fix (no specific version range given in the references) [2].

Exploitation

An attacker does not need authentication or a privileged network position; they only need to craft a URL with a trailing dot, or ensure a victim's HSTS cache contains an entry with a trailing dot while the URL lacks it. When the victim uses curl to access a hostname with the mismatched dot, the HSTS check is bypassed and the connection proceeds over unencrypted HTTP [1][2].

Impact

By bypassing the HSTS cache, an attacker on the network can intercept or modify HTTP traffic that should have been upgraded to HTTPS. This leads to potential information disclosure and man-in-the-middle attacks, as the victim may inadvertently send sensitive data in clear text [1][2].

Mitigation

A fix was included in curl version 7.86.0 [3]. Users should upgrade to at least curl 7.86.0 (released November 2022) or later [3]. No workaround is available [3].