CVE-2022-27780: 
Splunk Forwarder vulnerability analysis and mitigation

The curl URL parser vulnerability (CVE-2022-27780) was discovered in April 2022 and disclosed on May 11, 2022. The vulnerability affects curl versions 7.80.0 to 7.83.0. The issue occurs when the parser incorrectly accepts percent-encoded URL separators in the hostname part of a URL, leading to potential security bypasses (Curl Advisory).

The vulnerability stems from a flaw introduced in commit 9a8564a920188e, which was shipped in curl 7.80.0 when curl added support for percent-encoded hostnames in URLs. The parser wrongly accepts percent-encoded URL separators like '/' when decoding the hostname part of a URL. For example, a URL like http://example.com%2F127.0.0.1/ would be allowed by the parser and get transposed into http://example.com/127.0.0.1/. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD, Curl Advisory).

This vulnerability can be exploited to circumvent filters and security checks. The flaw allows attackers to manipulate the hostname interpretation, potentially leading to security bypass scenarios. The primary impact is on the integrity of URL processing, with no direct impact on confidentiality or availability (Curl Advisory).

The vulnerability was fixed in curl version 7.83.1, released on May 11, 2022. The fix involves modifying the URL parser to reject hostnames that percent-decode into URL separator characters. Users are recommended to upgrade to version 7.83.1 or later. If upgrading is not immediately possible, there are no known workarounds (Curl Advisory).