CVE-2022-32207 is a critical security vulnerability identified in the curl utility, specifically in versions prior to 7.84.0. Curl is a widely used command-line tool and library for transferring data with URLs, supporting numerous protocols. The vulnerability arises from a business logic error (CWE-840) related to how curl saves cookies, alt-svc (alternative service), and HSTS (HTTP Strict Transport Security) data to local files. To ensure atomicity during these save operations, curl writes data to a temporary file and then renames this temporary file to the final target filename. However, during this rename operation, curl may inadvertently widen the file permissions of the target file, making it accessible to more users than originally intended. This unintended permission escalation can expose sensitive data stored in these files, such as cookies and security policies, to unauthorized users on the same system. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the potential for unauthorized data disclosure and manipulation is significant, especially in multi-user environments or shared systems. The issue was addressed and fixed in curl version 7.84.0 by correcting the file permission handling during the rename operation to prevent unintended permission widening.

For European organizations, the impact of CVE-2022-32207 can be substantial, particularly for those relying on curl in multi-user environments such as shared servers, cloud platforms, or containerized applications. Unauthorized access to cookies and security policy files could lead to session hijacking, unauthorized access to web services, or manipulation of security configurations, undermining confidentiality and integrity. This is especially critical for sectors handling sensitive personal data under GDPR regulations, such as finance, healthcare, and government agencies. The vulnerability could also facilitate lateral movement within compromised networks if attackers gain access to sensitive authentication tokens or security policies. Given curl's ubiquitous presence in automation scripts, CI/CD pipelines, and backend services, the scope of affected systems is broad, increasing the risk of widespread exposure. The lack of required privileges or user interaction for exploitation further elevates the threat level, enabling remote attackers to exploit this vulnerability without authentication. Consequently, organizations may face regulatory penalties, reputational damage, and operational disruptions if this vulnerability is exploited.

European organizations should prioritize upgrading all curl instances to version 7.84.0 or later to eliminate the vulnerability. Beyond patching, organizations should audit file permission settings on cookie, alt-svc, and HSTS data files to ensure they are not overly permissive, especially on shared systems. Implementing strict access controls and user segregation on systems running curl can reduce the risk of unauthorized access. Monitoring file system changes and employing file integrity monitoring tools can help detect unexpected permission changes. Additionally, organizations should review automation scripts and CI/CD pipelines that use curl to ensure they do not inadvertently expose sensitive data. Where feasible, running curl processes with the least privilege necessary and isolating them in containers or sandboxes can limit potential damage. Finally, educating system administrators and developers about secure file handling practices and the implications of this vulnerability will help prevent similar issues.