CVE-2022-43551 Information
Description
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. Then in a subsequent request it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
Reference
https://hackerone.com/reports/1755083
A
vulnerability
exists
in
curl
<7.87.0
HSTS
check
that
could
be
bypassed
to
trick
it
to
keep
using
HTTP.
Using
its
HSTS
support
curl
can
be
instructed
to
use
HTTPS
instead
of
using
an
insecure
clear-text
HTTP
step
even
when
HTTP
is
provided
in
the
URL.
However
the
HSTS
mechanism
could
be
bypassed
if
the
host
name
in
the
given
URL
first
uses
IDN
characters
that
get
replaced
to
ASCII
counterparts
as
part
of
the
IDN
conversion.
Like
using
the
character
UTF-8
U+3002
(IDEOGRAPHIC
FULL
STOP)
instead
of
the
common
ASCII
full
stop
(U+002E)
..
Then
in
a
subsequent
request
it
does
not
detect
the
HSTS
state
and
makes
a
clear
text
transfer.
Because
it
would
store
the
info
IDN
encoded
but
look
for
it
IDN
decoded.