{"id":"CURL-CVE-2022-32207","summary":"Non-preserved file permissions","details":"When curl saves cookies, alt-svc and hsts data to local files, it makes the\noperation atomic by finalizing the operation with a rename from a temporary\nname to the final target filename.\n\nIn that rename operation, it might accidentally *widen* the permissions for\nthe target file, leaving the updated file accessible to more users than\nintended.","aliases":["CVE-2022-32207"],"modified":"2026-04-25T20:38:36.322518Z","published":"2022-06-27T08:00:00Z","database_specific":{"affects":"both","award":{"amount":"2400","currency":"USD"},"severity":"Medium","last_affected":"7.83.1","URL":"https://curl.se/docs/CVE-2022-32207.json","www":"https://curl.se/docs/CVE-2022-32207.html","package":"curl","issue":"https://hackerone.com/reports/1573634","CWE":{"desc":"Improper Preservation of Permissions","id":"CWE-281"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.69.0"},{"fixed":"7.84.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"b834890a3fa3f525cd8ef4e99554cdb4558d7e1b"},{"fixed":"20f9dd6bae50b7223171b17ba7798946e74f877f"}]}],"versions":["7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2022-32207.json","vanir_signatures":[{"signature_version":"v1","id":"CURL-CVE-2022-32207-1a290351","digest":{"length":1696,"function_hash":"305870156830231985557133237636686356289"},"deprecated":false,"signature_type":"Function","source":"https://github.com/curl/curl.git/commit/20f9dd6bae50b7223171b17ba7798946e74f877f","target":{"file":"lib/cookie.c","function":"cookie_output"}},{"signature_version":"v1","id":"CURL-CVE-2022-32207-3458378d","digest":{"threshold":0.9,"line_hashes":["19542152435248566348534121121404899133","161367172986192604655752474631591150973","310751673445772978523358360521802730802","4424874072028108703009431066093817851","187440963696661346408659508771285993647","302895510676315582129922617783820223302","135815602676182081692811014512791179341","330436315805160357036125107162565285681","193568821849953497900893711564012248332","246537596910753757772219533742246397862","117533370912079928344900381165105363760","170086517522843419575198603782172205566","141821886680241180494020230255407031868","94742408489309836486471842947633187974","328885262848515589541727135342267286078","215183553528032001964437814862826714404","129336455590798651885286212325919621165","126236476153916860056453326280829059280","13477195757736043971976616540328472352","105791471826809518909761125461019016874","323647520086621415914899601557635000029","58910070339272998776735321338979916801","216274372733572833682556657574977594210"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/curl/curl.git/commit/20f9dd6bae50b7223171b17ba7798946e74f877f","target":{"file":"lib/cookie.c"}}],"vanir_signatures_modified":"2026-04-25T20:38:36Z"}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}