Cyber Resilience

CVE-2022-32221

CriticalPublic PoC

Published: 05 December 2022

Published
05 December 2022
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0185 83.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-32221 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Splunk Universal Forwarder. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used…

more

that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

haxx
curl
≤ 7.86.0
netapp
clustered data ontap
all versions
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
h410s firmware
all versions
debian
debian linux
10.0, 11.0
apple
macos
≤ 12.6.3
splunk
universal forwarder
9.1.0 · 8.2.0 — 8.2.12 · 9.0.0 — 9.0.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-668 CWE-200

Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.

addresses: CWE-200 CWE-668

By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.

addresses: CWE-200 CWE-668

Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.

addresses: CWE-200 CWE-668

Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.

addresses: CWE-200 CWE-668

Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.

addresses: CWE-200 CWE-668

Media marking ensures sensitive information on removable or system media is handled according to its classification, reducing the chance of inadvertent exposure to unauthorized actors.

addresses: CWE-200 CWE-668

Protecting and controlling media during external transport prevents exposure of sensitive information to unauthorized actors.

addresses: CWE-200 CWE-668

Assessing control effectiveness and providing incident communication channels at alternate sites reduces the likelihood of sensitive information exposure to unauthorized actors.

References