CVE-2022-32221: 
MySQL vulnerability analysis and mitigation

CVE-2022-32221 is a vulnerability in libcurl, discovered and disclosed in September 2022, affecting versions 7.7 to 7.85.0. The vulnerability occurs when doing HTTP(S) transfers, where libcurl might erroneously use the read callback (CURLOPTREADFUNCTION) to ask for data to send, even when the CURLOPTPOSTFIELDS option has been set, if the same handle previously was used to issue a PUT request (Curl Advisory).

The vulnerability exists in the logic for a reused handle when it is changed from a PUT to a POST request. When a handle is reused and changed from PUT to POST, libcurl may incorrectly continue to use the read callback instead of the intended CURLOPT_POSTFIELDS data. The vulnerability has been assigned a CVSS score of 9.8 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

The flaw may cause the application to misbehave and either send incorrect data or use memory after it has been freed in the subsequent POST request. While the code causing these issues is not present in libcurl itself, these are potential outcomes of libcurl unexpectedly calling the read callback when it shouldn't (Curl Advisory).

The vulnerability was fixed in libcurl version 7.86.0. Users are recommended to either upgrade to version 7.86.0 or later, apply the patch to their local version, or avoid mixing the use of read callback and CURLOPT_POSTFIELDS string on a reused easy handle (Curl Advisory).

The vulnerability has been acknowledged and patched by multiple vendors including Apple, who included fixes in their macOS Ventura 13.2 and Monterey 12.6.3 updates (Apple Support, Apple Support). NetApp has also issued advisories and patches for their affected products (NetApp Advisory).