DEBIAN-CVE-2022-32207

DEBIAN-CVE-2022-32207 PUBLISHED CVSS 9.800000190734863 CRITICAL

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

Risk Scores

CVSS 3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:12	curl	0, 0, 0
Debian:14	curl	0, 0, 0
Debian:11	curl	0, 7.74.0-1.3, 7.74.0-1.3
Debian:13	curl	0, 0, 0

Exploit Intelligence

macos_v2_generated.go (github-poc)
glcve_test.go (github-poc)
macos_v1_generated.go (github-poc)

Timeline

Jul 7, 2022 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2022-32207 advisory

Open in Interactive Console →