{"id":"CVE-2022-27779","details":"libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's \"cookie engine\" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.","aliases":["CURL-CVE-2022-27779"],"modified":"2026-03-14T11:39:36.114764Z","published":"2022-06-02T14:15:44.093Z","related":["openSUSE-SU-2024:12062-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202212-01"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220609-0009/"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/1553301"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"64db5c575d9c5536bd273a890f50777ad1ca7c13"},{"fixed":"462196e6b4a47f924293a0e26b8e9c23d37ac26f"}],"database_specific":{"versions":[{"introduced":"7.82.0"},{"fixed":"7.83.1"}]}}],"versions":["curl-7_82_0","curl-7_83_0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-27779.json","unresolved_ranges":[{"events":[{"introduced":"8.2.0"},{"fixed":"8.2.12"}]},{"events":[{"introduced":"9.0.0"},{"fixed":"9.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}