CVE-2021-22925

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
haxxcurl
7.7 ≤
𝑥
< 7.78.0
netappcloud_backup
-
netappclustered_data_ontap
-
netapphci_management_node
-
netappsolidfire
-
applemac_os_x
10.15.7
applemac_os_x
10.15.7:security_update_2021-001
applemac_os_x
10.15.7:security_update_2021-002
applemac_os_x
10.15.7:security_update_2021-003
applemac_os_x
10.15.7:security_update_2021-004
applemacos
11.0
applemacos
11.0.1
applemacos
11.1
applemacos
11.1.0
applemacos
11.2
applemacos
11.2.1
applemacos
11.3
applemacos
11.3.1
applemacos
11.4
applemacos
11.5
oraclemysql_server
5.7.0 ≤
𝑥
≤ 5.7.35
oraclemysql_server
8.0.0 ≤
𝑥
≤ 8.0.26
oraclepeoplesoft_enterprise_peopletools
8.57
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
siemenssinec_infrastructure_network_services
𝑥
< 1.0.1.1
siemenssinema_remote_connect_server
𝑥
< 3.1
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph300e_firmware
-
netapph500e_firmware
-
netapph700e_firmware
-
netapph410s_firmware
-
splunkuniversal_forwarder
8.2.0 ≤
𝑥
< 8.2.12
splunkuniversal_forwarder
9.0.0 ≤
𝑥
< 9.0.6
splunkuniversal_forwarder
9.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
lunar
Fixed 7.74.0-1.2ubuntu4
released
kinetic
Fixed 7.74.0-1.2ubuntu4
released
jammy
Fixed 7.74.0-1.2ubuntu4
released
impish
Fixed 7.74.0-1.2ubuntu4
released
hirsute
Fixed 7.74.0-1ubuntu2.1
released
groovy
ignored
focal
Fixed 7.68.0-1ubuntu2.6
released
bionic
Fixed 7.58.0-2ubuntu3.14
released
xenial
Fixed 7.47.0-1ubuntu2.19+esm3
released
trusty
Fixed 7.35.0-1ubuntu2.20+esm14
released
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2021/Sep/39
http://seclists.org/fulldisclosure/2021/Sep/40
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
https://hackerone.com/reports/1223882
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20210902-0003/
https://support.apple.com/kb/HT212804
https://support.apple.com/kb/HT212805
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
http://seclists.org/fulldisclosure/2021/Sep/39
http://seclists.org/fulldisclosure/2021/Sep/40
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
https://hackerone.com/reports/1223882
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20210902-0003/
https://support.apple.com/kb/HT212804
https://support.apple.com/kb/HT212805
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html