CVE-2021-22947

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
haxxcurl
7.20.0 ≤
𝑥
< 7.79.0
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
netappcloud_backup
-
netappclustered_data_ontap
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph300e_firmware
-
netapph500e_firmware
-
netapph700e_firmware
-
netapph410s_firmware
-
netappsolidfire_baseboard_management_controller_firmware
-
oraclecommunications_cloud_native_core_binding_support_function
1.11.0
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
1.10.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.1
oraclecommunications_cloud_native_core_network_slice_selection_function
1.8.0
oraclecommunications_cloud_native_core_service_communication_proxy
1.15.0
oraclemysql_server
5.7.0 ≤
𝑥
≤ 5.7.35
oraclemysql_server
8.0.0 ≤
𝑥
≤ 8.0.26
oraclepeoplesoft_enterprise_peopletools
8.57
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
siemenssinec_infrastructure_network_services
𝑥
< 1.0.1.1
applemacos
𝑥
< 12.3
oraclecommerce_guided_search
11.3.2
oraclecommunications_cloud_native_core_binding_support_function
22.1.3
oraclecommunications_cloud_native_core_console
22.2.0
oraclecommunications_cloud_native_core_network_repository_function
22.1.2
oraclecommunications_cloud_native_core_network_repository_function
22.2.0
oraclecommunications_cloud_native_core_security_edge_protection_proxy
22.1.1
splunkuniversal_forwarder
8.2.0 ≤
𝑥
< 8.2.12
splunkuniversal_forwarder
9.0.0 ≤
𝑥
< 9.0.6
splunkuniversal_forwarder
9.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
jammy
Fixed 7.74.0-1.3ubuntu2
released
impish
Fixed 7.74.0-1.3ubuntu2
released
hirsute
Fixed 7.74.0-1ubuntu2.3
released
focal
Fixed 7.68.0-1ubuntu2.7
released
bionic
Fixed 7.58.0-2ubuntu3.15
released
xenial
Fixed 7.47.0-1ubuntu2.19+esm1
released
trusty
Fixed 7.35.0-1ubuntu2.20+esm8
released
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2022/Mar/29
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1334763
https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20211029-0003/
https://support.apple.com/kb/HT213183
https://www.debian.org/security/2022/dsa-5197
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
http://seclists.org/fulldisclosure/2022/Mar/29
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1334763
https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20211029-0003/
https://support.apple.com/kb/HT213183
https://www.debian.org/security/2022/dsa-5197
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html