gsd-2021-22946
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2021-22946",
    "description": "A user can tell curl \u003e= 7.20.0 and \u003c= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.",
    "id": "GSD-2021-22946",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-22946.html",
      "https://access.redhat.com/errata/RHSA-2022:0635",
      "https://access.redhat.com/errata/RHSA-2021:4059",
      "https://ubuntu.com/security/CVE-2021-22946",
      "https://advisories.mageia.org/CVE-2021-22946.html",
      "https://security.archlinux.org/CVE-2021-22946",
      "https://access.redhat.com/errata/RHSA-2022:1354",
      "https://alas.aws.amazon.com/cve/html/CVE-2021-22946.html",
      "https://linux.oracle.com/cve/CVE-2021-22946.html",
      "https://www.debian.org/security/2022/dsa-5197"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-22946"
      ],
      "details": "A user can tell curl \u003e= 7.20.0 and \u003c= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.",
      "id": "GSD-2021-22946",
      "modified": "2023-12-13T01:23:24.835747Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2021-22946",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/curl/curl",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "curl 7.20.0 to and including 7.78.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A user can tell curl \u003e= 7.20.0 and \u003c= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Missing Required Cryptographic Step (CWE-325)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/1334111",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/1334111"
          },
          {
            "name": "[debian-lts-announce] 20210930 [SECURITY] [DLA 2773-1] curl security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html"
          },
          {
            "name": "FEDORA-2021-fc96a3a749",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "name": "FEDORA-2021-1d24845e93",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20211029-0003/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20211029-0003/"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20220121-0008/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20220121-0008/"
          },
          {
            "name": "20220314 APPLE-SA-2022-03-14-4 macOS Monterey 12.3",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2022/Mar/29"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            "refsource": "CONFIRM",
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          },
          {
            "name": "https://support.apple.com/kb/HT213183",
            "refsource": "CONFIRM",
            "url": "https://support.apple.com/kb/HT213183"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "DSA-5197",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2022/dsa-5197"
          },
          {
            "name": "[debian-lts-announce] 20220828 [SECURITY] [DLA 3085-1] curl security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html"
          },
          {
            "name": "GLSA-202212-01",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202212-01"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "4CACB6A8-0CF6-4283-BB33-FE3B0026A23E",
                    "versionEndExcluding": "7.79.0",
                    "versionStartIncluding": "7.20.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                    "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "1FE996B1-6951-4F85-AA58-B99A379D2163",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6770B6C3-732E-4E22-BF1C-2D2FD610061C",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "9F9C8C20-42EB-4AB5-BD97-212DEB070C43",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "7FFF7106-ED78-49BA-9EC5-B889E3685D53",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "56409CEC-5A1E-4450-AA42-641E459CC2AF",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B06F4839-D16A-4A61-9BB5-55B13F41E47F",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "108A2215-50FB-4074-94CF-C130FA14566D",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "7AFC73CE-ABB9-42D3-9A71-3F5BC5381E0E",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "32F0B6C0-F930-480D-962B-3F4EFDCC13C7",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "803BC414-B250-4E3A-A478-A3881340D6B8",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "0FEB3337-BFDE-462A-908B-176F92053CEC",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "736AEAE9-782B-4F71-9893-DED53367E102",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D0B4AD8A-F172-4558-AEC6-FF424BA2D912",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "8497A4C9-8474-4A62-8331-3FE862ED4098",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FB9B8171-F6CA-427D-81E0-6536D3BBFA8D",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:netapp:solidfire_baseboard_management_controller:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "090AA6F4-4404-4E26-82AB-C3A22636F276",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "10323322-F6C0-4EA7-9344-736F7A80AA5F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "C2A5B24D-BDF2-423C-98EA-A40778C01A05",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6F60E32F-0CA0-4C2D-9848-CB92765A9ACB",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DF616620-88CE-4A77-B904-C1728A2E6F9B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3AA09838-BF13-46AC-BB97-A69F48B73A8A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "175B97A7-0B00-4378-AD9F-C01B6D9FD570",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E667933A-37EA-4BC2-9180-C3B4B7038866",
                    "versionEndIncluding": "5.7.35",
                    "versionStartIncluding": "5.7.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "709E83B4-8C66-4255-870B-2F72B37BA8C6",
                    "versionEndIncluding": "8.0.26",
                    "versionStartIncluding": "8.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*",
                    "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
                    "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "9060C1B6-F101-46AE-8B08-6D6951304916",
                    "versionEndExcluding": "12.3",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B0F46497-4AB0-49A7-9453-CC26837BF253",
                    "versionEndExcluding": "1.0.1.1",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*",
                    "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6EDB6772-7FDB-45FF-8D72-952902A7EE56",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3C2BC68D-C8B2-4C8B-9426-21F00CBDD873",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B61A7946-F554-44A9-9E41-86114E4B4914",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "EBB5FF32-7362-4A1E-AD24-EF6B8770FCAD",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "8B40FAF9-0A6B-41C4-8CAD-D3D1DD982C2C",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5722E753-75DE-4944-A11B-556CB299B57D",
                    "versionEndExcluding": "8.2.12",
                    "versionStartIncluding": "8.2.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DC0F9351-81A4-4FEA-B6B5-6E960A933D32",
                    "versionEndExcluding": "9.0.6",
                    "versionStartIncluding": "9.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "EED24E67-2957-4C1B-8FEA-E2D2FE7B97FC",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "A user can tell curl \u003e= 7.20.0 and \u003c= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network."
          },
          {
            "lang": "es",
            "value": "Un usuario puede decirle a curl versiones posteriores a 7.20.0 incluy\u00e9ndola , y versiones anteriores a 7.78.0 incluy\u00e9ndola, que requiera una actualizaci\u00f3n con \u00e9xito a TLS cuando hable con un servidor IMAP, POP3 o FTP (\"--ssl-reqd\" en la l\u00ednea de comandos o \"CURLOPT_USE_SSL\" configurado como \"CURLUSESSL_CONTROL\" o \"CURLUSESSL_ALL\" conlibcurl). Este requisito podr\u00eda ser omitido si el servidor devolviera una respuesta correctamente dise\u00f1ada pero perfectamente leg\u00edtima. Este fallo har\u00eda que curl continuara silenciosamente sus operaciones **withoutTLS** en contra de las instrucciones y expectativas, exponiendo posiblemente datos confidenciales en texto sin cifrar a trav\u00e9s de la red"
          }
        ],
        "id": "CVE-2021-22946",
        "lastModified": "2024-03-27T15:12:52.090",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2021-09-29T20:15:08.187",
        "references": [
          {
            "source": "support@hackerone.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/Mar/29"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Exploit",
              "Issue Tracking",
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://hackerone.com/reports/1334111"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.gentoo.org/glsa/202212-01"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211029-0003/"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220121-0008/"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Release Notes",
              "Third Party Advisory"
            ],
            "url": "https://support.apple.com/kb/HT213183"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5197"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          }
        ],
        "sourceIdentifier": "support@hackerone.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-319"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-325"
              }
            ],
            "source": "support@hackerone.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.