CVE-2022-27775 - Vulnerability Details

An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Brocade	Fabric Operating System
Debian	Debian Linux
Haxx	Curl
Netapp	Clustered Data Ontap H300s H300s Firmware H410s H410s Firmware H500s H500s Firmware H700s H700s Firmware Hci Bootstrap Os Hci Compute Node Solidfire \& Hci Management Node Solidfire \& Hci Storage Node
Redhat	Enterprise Linux
Splunk	Universal Forwarder

Configuration 1 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
	cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:::::::*
	cpe:2.3:a:netapp:solidfire_\&_hci_storage_node:-:::::::*
	cpe:2.3:o:brocade:fabric_operating_system:-:::::::*

Configuration 5 [-]

AND

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 9 [-]

OR	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder:9.1.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
curl-0:7.76.1-19.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:8299	2022-11-15T00:00:00Z
curl-0:7.76.1-19.el9	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:8299	2022-11-15T00:00:00Z

References

Link	Providers
https://curl.se/docs/CVE-2022-27775.html
https://hackerone.com/reports/1546268
https://nvd.nist.gov/vuln/detail/CVE-2022-27775
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220609-0008/
https://www.cve.org/CVERecord?id=CVE-2022-27775
https://www.debian.org/security/2022/dsa-5197

History

Wed, 27 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-06-01T00:00:00.000Z

Updated: 2026-05-27T13:33:02.028Z

Reserved: 2022-03-23T00:00:00.000Z

Link: CVE-2022-27775

Vulnrichment

Updated: 2024-08-03T05:32:59.833Z

NVD

Status : Modified

Published: 2022-06-02T14:15:43.510

Modified: 2026-05-27T14:16:37.840

Link: CVE-2022-27775

Redhat

Severity : Low

Publid Date: 2022-04-27T00:00:00Z

Links: CVE-2022-27775 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object