CVE-2022-43551

Published: Dic 23, 2022 Last Modified: Feb 13, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none

Description

AI Translation Available

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0004
Percentile
0,1th
Updated

EPSS Score Trend (Last 90 Days)

319

Cleartext Transmission of Sensitive Information

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality
Potential Impacts:
Read Application Data Modify Files Or Directories Other
Applicable Platforms
Technologies: Cloud Computing, ICS/OT, Mobile, Not Technology-Specific, System on Chip, Test/Debug Hardware
Likelihood of Exploit: High
View CWE Details
Application

Active Iq Unified Manager by Netapp

Product Information
Vendor Netapp
Product Active Iq Unified Manager
Version -
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Universal Forwarder by Splunk

Product Information
Vendor Splunk
Product Universal Forwarder
Version Range Affected
From 8.2.0 (inclusive)
To 8.2.12 (exclusive)
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Oncommand Workflow Automation by Netapp

Product Information
Vendor Netapp
Product Oncommand Workflow Automation
Version -
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Curl by Haxx

Product Information
Vendor Haxx
Product Curl
Version Range Affected
From 7.77.0 (inclusive)
To 7.87.0 (exclusive)
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Active Iq Unified Manager by Netapp

Product Information
Vendor Netapp
Product Active Iq Unified Manager
Version -
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Snapcenter by Netapp

Product Information
Vendor Netapp
Product Snapcenter
Version -
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Universal Forwarder by Splunk

Product Information
Vendor Splunk
Product Universal Forwarder
Version Range Affected
From 9.0.0 (inclusive)
To 9.0.6 (exclusive)
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Fedora by Fedoraproject

Product Information
Vendor Fedoraproject
Product Fedora
Version 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Universal Forwarder by Splunk

Product Information
Vendor Splunk
Product Universal Forwarder
Version 9.1.0
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Oncommand Insight by Netapp

Product Information
Vendor Netapp
Product Oncommand Insight
Version -
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://hackerone.com/reports/1755083
https://hackerone.com/reports/1755083
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://security.gentoo.org/glsa/202310-12
https://security.gentoo.org/glsa/202310-12
https://security.netapp.com/advisory/ntap-20230427-0007/
https://security.netapp.com/advisory/ntap-20230427-0007/
https://hackerone.com/reports/1755083
https://hackerone.com/reports/1755083
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://security.gentoo.org/glsa/202310-12
https://security.gentoo.org/glsa/202310-12
https://security.netapp.com/advisory/ntap-20230427-0007/
https://security.netapp.com/advisory/ntap-20230427-0007/