{"id":"CVE-2022-27779","details":"libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's \"cookie engine\" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.","aliases":["CURL-CVE-2022-27779"],"modified":"2026-04-11T12:42:52.943872Z","published":"2022-06-02T14:15:44.093Z","related":["openSUSE-SU-2024:12062-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"8.2.0"},{"fixed":"8.2.12"},{"introduced":"9.0.0"},{"fixed":"9.0.6"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"9.1.0"}],"source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202212-01"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220609-0009/"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/1553301"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"64db5c575d9c5536bd273a890f50777ad1ca7c13"},{"fixed":"462196e6b4a47f924293a0e26b8e9c23d37ac26f"}],"database_specific":{"cpe":"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"7.82.0"},{"fixed":"7.83.1"}],"source":"CPE_FIELD"}}],"versions":["curl-7_82_0","curl-7_83_0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-27779.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}