{"id":"CURL-CVE-2022-30115","summary":"HSTS bypass via trailing dot","details":"curl's HSTS check could be bypassed to trick it to keep using HTTP.\n\nUsing its HSTS support, curl can be instructed to use HTTPS directly instead\nof using an insecure clear-text HTTP step even when HTTP is provided in the\nURL. This mechanism could be bypassed if the hostname in the given URL used a\ntrailing dot while not using one when it built the HSTS cache. Or the other\nway around - by having the trailing dot in the HSTS cache and *not* using the\ntrailing dot in the URL.\n\nSince trailing dots in hostnames are somewhat special, many sites work\nequally fine with or without a trailing dot present.","aliases":["CVE-2022-30115"],"modified":"2025-05-15T17:48:29Z","published":"2022-05-11T08:00:00Z","database_specific":{"package":"curl","affects":"both","severity":"Medium","www":"https://curl.se/docs/CVE-2022-30115.html","URL":"https://curl.se/docs/CVE-2022-30115.json","CWE":{"id":"CWE-319","desc":"Cleartext Transmission of Sensitive Information"},"issue":"https://hackerone.com/reports/1557449","award":{"currency":"USD","amount":"2400"},"last_affected":"7.83.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.82.0"},{"fixed":"7.83.1"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"b27ad8e1d3e68eb3214fcbb398ca436873aa7c67"},{"fixed":"fae6fea209a2d4db1582f608bd8cc8000721733a"}]}],"versions":["7.83.0","7.82.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2022-30115.json","vanir_signatures":[{"digest":{"length":702,"function_hash":"286552018649203210310008806275789798286"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/fae6fea209a2d4db1582f608bd8cc8000721733a","deprecated":false,"id":"CURL-CVE-2022-30115-16882aad","signature_type":"Function","target":{"function":"Curl_hsts","file":"lib/hsts.c"}},{"digest":{"length":815,"function_hash":"48285529592996824526528618557034084776"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/fae6fea209a2d4db1582f608bd8cc8000721733a","deprecated":false,"id":"CURL-CVE-2022-30115-a922ff8a","signature_type":"Function","target":{"function":"hsts_pull","file":"lib/hsts.c"}},{"digest":{"length":424,"function_hash":"89664449116294378363952448522860698971"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/fae6fea209a2d4db1582f608bd8cc8000721733a","deprecated":false,"id":"CURL-CVE-2022-30115-ba9b3f79","signature_type":"Function","target":{"function":"hsts_create","file":"lib/hsts.c"}},{"digest":{"threshold":0.9,"line_hashes":["258341082644811867398322314354540185203","53428199024934125380311735694406619955","309356879429898724539550070674565664586","234005795827227945628472736140116783277","339972317069854870364729192222267317012","13238677772320217473857396161329998958","4495561948783380635727326822270777023","27915422245645243047564625136854602929","98691009393961851364818590957527477683","103697503150250393033557475067255379968","86645699933276910705029527344409098221","91294959976918923767629474650306966691","111932909036085929049843404938720806832","150281844765147451534411310351020261667","45556005133136173928724697274180468835","54203486722361417069386816158191444906","138850749939914848583381432184664788013","301912007895683859042433331658952938022","38768063347051256716988827618483926471","33259023916527446123769704232937591944","266929387625472277830448311897711113524","154601849969790850070772602658803818600","166929477883286857193835301417784741629","190688400589302099919588849980198945149","70291711216983733144801113803299181093"]},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/fae6fea209a2d4db1582f608bd8cc8000721733a","deprecated":false,"id":"CURL-CVE-2022-30115-bd12fe60","signature_type":"Line","target":{"file":"lib/hsts.c"}}]}}],"schema_version":"1.7.3","credits":[{"name":"Axel Chong","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}