CVE-2022-27774: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are aff...
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
Security readout for executives and security teams
Plain-English summary
curl could leak authentication credentials when an application follows HTTP(S) redirects. If a redirect crosses to another protocol or port, credentials intended for one service could be exposed to a different service. This is a confidentiality issue, especially for systems that automate authenticated downloads or API calls.
Executive priority
Treat this as a targeted credential-protection issue, not a broad remote compromise. Prioritize systems using automated authenticated curl/libcurl requests, especially where leaked credentials could access sensitive APIs, repositories, backups, or administrative services.
Technical view
CVE-2022-27774 affects curl 4.9 through 7.82.0. With authentication and redirect-following enabled, credentials may be sent across redirect boundaries involving different protocols or port numbers. The CVSS 3.1 score is 5.7, driven by high confidentiality impact, low attack complexity, required privileges, and user interaction.
Likely exposure
Exposure is most likely where applications, scripts, agents, or appliances use curl or libcurl with authentication and automatic redirect following. Internet-facing use is not required; internal redirects can also matter if credentials reach an unintended service.
Exploitation context
The supplied sources do not establish active exploitation, and the CVE is not marked KEV. Exploitation depends on a user or process making an authenticated curl/libcurl request that follows a redirect to a different protocol or port.
Researcher notes
Key conditions are authentication plus redirect following, with redirect boundaries involving protocol or port changes. The source bundle identifies affected curl versions but does not provide exploit telemetry. Validate exposure by dependency inventory and application behavior rather than version checks alone.
Mitigation direction
Upgrade curl/libcurl using vendor security updates for CVE-2022-27774.
Move beyond curl 7.82.0 where vendor guidance confirms the fix.
Disable redirect following for authenticated requests unless required.
Avoid sharing reusable credentials with automated curl workflows.
Review Debian, Gentoo, NetApp, and application vendor advisories for package-specific fixes.
Validation and detection
Inventory installed curl and libcurl versions across servers, containers, and appliances.
Find code or scripts using authentication with automatic redirect following.
Check vendor package advisories for patched versions in each operating system.
Review logs for authenticated requests followed by redirects to different ports or protocols.
Prioritize systems handling privileged API tokens, passwords, or service credentials.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-522: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-522 · source CWE mapping
Insufficiently Protected Credentials
Insufficiently Protected Credentials represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.