CVE-2022-43551: 
MySQL vulnerability analysis and mitigation

A vulnerability was discovered in curl versions 7.77.0 to 7.86.0 (CVE-2022-43551) that could allow bypassing HSTS (HTTP Strict Transport Security) checks to force the use of insecure HTTP connections. The vulnerability was discovered on October 29, 2022 and fixed in curl 7.87.0 released on December 21, 2022. The issue affects curl's HSTS implementation when handling URLs containing IDN (Internationalized Domain Name) characters (Curl Advisory).

The vulnerability exists in curl's HSTS check mechanism when handling URLs with IDN characters. The bypass occurs when a hostname in the URL uses IDN characters that get replaced with ASCII counterparts during IDN conversion, such as using UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the ASCII full stop (U+002E). The vulnerability causes curl to store HSTS information in IDN encoded form but look for it in IDN decoded form, leading to a mismatch that prevents HSTS enforcement. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD Database).

When exploited, this vulnerability allows an attacker to bypass HSTS protections and force curl to use insecure HTTP connections instead of HTTPS, potentially exposing sensitive data to man-in-the-middle attacks. The vulnerability affects the security of data transmission by allowing clear-text HTTP communication even when HSTS should enforce HTTPS usage (Curl Advisory).

The vulnerability has been fixed in curl version 7.87.0. Users are recommended to upgrade to this version or later. For those unable to upgrade immediately, the recommended workaround is to stick to always using HTTPS:// in URLs. The fix was implemented through a patch that corrects the handling of IDN encoded names in HSTS checks (Curl Advisory).