VDB

ALPINE-CVE-2022-32207

ALPINE-CVE-2022-32207 PUBLISHED CVSS 9.800000190734863 CRITICAL

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

Risk Scores

CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.16curl7.19.7-r1, 7.20.1-r0, 7.20.1-r1
Alpine:v3.22curl7.47.1-r0, 7.83.1-r1, 7.83.1-r0
Alpine:v3.17curl7.19.2-r0, 7.19.2-r1, 7.19.4-r0
Alpine:v3.13curl7.79.1-r1, 0, 7.19.2-r0
Alpine:v3.20curl0, 7.19.2-r1, 7.19.4-r0
Alpine:v3.14curl7.70.0-r2, 7.19.2-r0, 7.19.2-r1
Alpine:v3.23curl7.34.0-r1, 7.35.0-r0, 7.36.0-r0
Alpine:v3.15curl7.47.1-r0, 7.60.0-r1, 7.60.0-r0
Alpine:v3.21curl7.59.0-r0, 0, 7.19.2-r0
Alpine:v3.19curl7.55.1-r0, 7.83.1-r1, 7.83.1-r0
Alpine:v3.18curl7.46.0-r1, 0, 7.19.2-r0

Timeline

  • Jul 7, 2022 CVE Published
  • Dec 3, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›