CVE-2022-35252: Input Validation

Published Aug 23, 2022
·
Updated

A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This issue effectively allows a "sister site" to deny service to siblings and cause a denial of service attack.

Other sources

Accounts. This issue was addressed with improved data protection.

Apple

AMD. A memory corruption issue was addressed with improved input validation.

Apple

AMD. An out-of-bounds write issue was addressed with improved input validation.

Apple

AppleMobileFileIntegrity. This issue was addressed by enabling hardened runtime.

Apple

Bluetooth. The issue was addressed with improved memory handling.

Apple

Credit

CVE-2022-35252, Mickey Jin@@patch1t(Offensive Security), Csaba Fitzl@@theevilbit(Offensive Security), Linus Henze(Pinauten GmbH), Yonghwi Jin@@jinmo123(Theori), John Balestrieri(Tinrocket), Mickey Jin@@patch1t, Tommy Muir@@Muirey03, John Aakerblom@@jaakerblom, Antonio Zekic@@antoniozekic, Weijia Dai@@dwj1210(Momo Security), Ian Beer(Google Project Zero), Felix Poulin-Belanger, pattern-f@@pattern_F_(Ant Security Light), Adam Doupé(ASU SEFCOM), Apple, Adam M., CVE-2022-46716, Jiwon Park, Mieszko Wawrzyniak, an anonymous researcher, Ivan Fratric(Google Project Zero), CVE-2022-24836, CVE-2022-29181, KirtiKumar Anandrao Ramchandani, Michael (Biscuit) Thomas, Wojciech Reguła@@_r3ggi(SecuRing), @@real_as3617, Hyeon Park@@tree_segment(Team ApplePIE), Maddie Stone(Google Project Zero), ChengGang Wu(Institute of Computing Technology), Yan Kang(Institute of Computing Technology), YuHao Hu(Institute of Computing Technology), Yue Sun(Institute of Computing Technology), Jiming Wang(Institute of Computing Technology), (Institute of Computing Technology), JiKai Ren(Institute of Computing Technology), Hang Shu(Institute of Computing Technology), Chinese Academy(Sciences), KirtiKumar Anandrao Ramchandani (kirtikumarar.com), hazbinhotel(Trend Micro Zero Day Initiative), Samuel Groß(Google V8 Security), Dohyun Lee@@l33d0hyun(DNSLab at Korea University), Ryan Shin(IAAI SecLab at Korea University), Clément Lecigne(Google's Threat Analysis Group), Thijs Alkemade@@xnyhps(Computest Sector 7), Mickey Jin@@patch1t(Trend Micro), Pan ZhenPeng@@Peterpan0927(STAR Labs SG Pte), ABC Research s.r.o.

Affected Software

39 affected componentsFixes available
redhat/jbcs-httpd24-curl<0:7.86.0-2.el8
0:7.86.0-2.el8
redhat/jbcs-httpd24-curl<0:7.86.0-2.el7
0:7.86.0-2.el7
redhat/curl<0:7.61.1-30.el8
0:7.61.1-30.el8
redhat/curl<0:7.76.1-23.el9
0:7.76.1-23.el9
redhat/curl<7.85.0
7.85.0
Apple macOS Big Sur<11.7.3
11.7.3
Apple macOS Monterey<12.6.3
12.6.3
Apple macOS Ventura<13.1
13.1
haxx curl<7.85.0
NetApp Clustered Data ONTAP
NetApp Element Software
NetApp Hci Management Node
NetApp Solidfire
NetApp Bootstrap Os
NetApp Hci Compute Node
NetApp H300s Firmware
NetApp H300s
NetApp H500s Firmware
NetApp H500s
NetApp H700s Firmware
NetApp H700s
NetApp H410s Firmware
NetApp H410s
Apple macOS>=11.0<11.7.3
Apple macOS>=12.0.0<12.6.3
Debian Debian Linux=10.0
All of the following
NetApp Bootstrap Os
NetApp Hci Compute Node
All of the following
NetApp H300s Firmware
NetApp H300s
All of the following
NetApp H500s Firmware
NetApp H500s
All of the following
NetApp H700s Firmware
NetApp H700s
All of the following
NetApp H410s Firmware
NetApp H410s
Splunk Universal Forwarder>=8.2.0<8.2.12
Splunk Universal Forwarder>=9.0.0<9.0.6
Splunk Universal Forwarder=9.1.0

Event History

Aug 23, 2022
Data Sourced
via Red Hat·03:36 PM
DescriptionSeverityAffected Software
Aug 31, 2022
CVE Published
12:00 AM
Sep 23, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID for this security flaw?

The vulnerability ID for this security flaw is CVE-2022-35252.

2

What is the severity of CVE-2022-35252?

The severity of CVE-2022-35252 is low with a CVSS score of 3.1.

3

Which software versions are affected by CVE-2022-35252?

The affected software versions are curl 7.85.0, jbcs-httpd24-curl 0:7.86.0-2.el8, jbcs-httpd24-curl 0:7.86.0-2.el7, curl 0:7.61.1-30.el8, curl 0:7.76.1-23.el9, macOS Big Sur 11.7.3, and macOS Monterey 12.6.3.

4

How can I fix the vulnerability?

To fix the vulnerability, update curl to version 7.85.0 or higher.

5

Where can I find more information about CVE-2022-35252?

You can find more information about CVE-2022-35252 at the following references: [Link 1](https://support.apple.com/en-us/HT213603), [Link 2](https://support.apple.com/en-us/HT213604), [Link 3](https://curl.se/docs/CVE-2022-35252.html).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203