{"id":"CURL-CVE-2022-27778","summary":"curl removes wrong file on error","details":"curl might remove the wrong file when `--no-clobber` is used together with\n`--remove-on-error`.\n\nThe `--remove-on-error` option tells curl to remove the output file when it\nreturns an error, and not leave a partial file behind. The `--no-clobber`\noption prevents curl from overwriting a file if it already exists, and instead\nappends a number to the name to create a new unused filename.\n\nIf curl adds a number to not \"clobber\" the output and an error occurs during\ntransfer, the remove on error logic would remove the *original* filename\nwithout the added number.","aliases":["CVE-2022-27778"],"modified":"2025-05-15T17:48:29Z","published":"2022-05-11T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2022-27778.html","award":{"currency":"USD","amount":"2400"},"last_affected":"7.83.0","affects":"tool","URL":"https://curl.se/docs/CVE-2022-27778.json","CWE":{"desc":"Use of Incorrectly-Resolved Name or Reference","id":"CWE-706"},"package":"curl","severity":"Medium","issue":"https://hackerone.com/reports/1553598"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.83.0"},{"fixed":"7.83.1"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"08a96c6e4e6cf6a1917a117db1b5394713e3f01f"},{"fixed":"8c7ee9083d0d719d0a77ab20d9cc2ae84eeea7f3"}]}],"versions":["7.83.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2022-27778.json","vanir_signatures":[{"target":{"function":"post_per_transfer","file":"src/tool_operate.c"},"source":"https://github.com/curl/curl.git/commit/8c7ee9083d0d719d0a77ab20d9cc2ae84eeea7f3","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CURL-CVE-2022-27778-9148cdfd","digest":{"length":6410,"function_hash":"85408876570462900799251503454664716257"}},{"target":{"file":"src/tool_operate.c"},"source":"https://github.com/curl/curl.git/commit/8c7ee9083d0d719d0a77ab20d9cc2ae84eeea7f3","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CURL-CVE-2022-27778-ad869ebd","digest":{"threshold":0.9,"line_hashes":["308290438098808885868234172283327916718","110527128123582844957959740984418015675","190011922085424159656563209537929965832","98802887095136528853448725169130886710","135643845906234530904486303925015482682"]}}]}}],"schema_version":"1.7.3","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}