发布时间: 2022年7月5日
修改时间: 2022年7月5日
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl s cookie engine can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 5.3 | 5.3 |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality | Low | Low |
| Integrity | None | None |
| Availability | None | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2022-1585 | libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl s cookie engine can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain. | 2022年7月5日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | curl | Unaffected |
| KY3.4-5 | curl | Unaffected |
| KY3.5.1 | curl | Unaffected |
