CVE-2021-22947

EUVD-2021-10075
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
haxxcurl
7.20.0 ≤
𝑥
< 7.79.0
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
netappcloud_backup
-
netappclustered_data_ontap
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph300e_firmware
-
netapph500e_firmware
-
netapph700e_firmware
-
netapph410s_firmware
-
netappsolidfire_baseboard_management_controller_firmware
-
oraclecommunications_cloud_native_core_binding_support_function
1.11.0
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
1.10.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.1
oraclecommunications_cloud_native_core_network_slice_selection_function
1.8.0
oraclecommunications_cloud_native_core_service_communication_proxy
1.15.0
oraclemysql_server
5.7.0 ≤
𝑥
≤ 5.7.35
oraclemysql_server
8.0.0 ≤
𝑥
≤ 8.0.26
oraclepeoplesoft_enterprise_peopletools
8.57
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
siemenssinec_infrastructure_network_services
𝑥
< 1.0.1.1
applemacos
𝑥
< 12.3
oraclecommerce_guided_search
11.3.2
oraclecommunications_cloud_native_core_binding_support_function
22.1.3
oraclecommunications_cloud_native_core_console
22.2.0
oraclecommunications_cloud_native_core_network_repository_function
22.1.2
oraclecommunications_cloud_native_core_network_repository_function
22.2.0
oraclecommunications_cloud_native_core_security_edge_protection_proxy
22.1.1
splunkuniversal_forwarder
8.2.0 ≤
𝑥
< 8.2.12
splunkuniversal_forwarder
9.0.0 ≤
𝑥
< 9.0.6
splunkuniversal_forwarder
9.1.0
𝑥
= Vulnerable software versions
Windows Releases
Platform
Version
Windows 10
1809 (arm64, x64, x86)
KB5009557
1909 (arm64, x64, x86)
KB5009545
20H2 (arm64, x86)
KB5009543
21H1 (arm64, x64, x86)
KB5009543
21H2 (arm64, x64, x86)
KB5009543
Windows 11
21H2 (arm64, x64)
KB5009566
Windows Server
20H2 Server Core
KB5009543
Windows Server 2019
Server Core
KB5009557
Standard
KB5009557
Windows Server 2022
Server Core
KB5009555
Standard
KB5009555
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
bionic
Fixed 7.58.0-2ubuntu3.15
released
focal
Fixed 7.68.0-1ubuntu2.7
released
hirsute
Fixed 7.74.0-1ubuntu2.3
released
impish
Fixed 7.74.0-1.3ubuntu2
released
jammy
Fixed 7.74.0-1.3ubuntu2
released
trusty
Fixed 7.35.0-1ubuntu2.20+esm8
released
xenial
Fixed 7.47.0-1ubuntu2.19+esm1
released
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2022/Mar/29
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1334763
https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20211029-0003/
https://support.apple.com/kb/HT213183
https://www.debian.org/security/2022/dsa-5197
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
http://seclists.org/fulldisclosure/2022/Mar/29
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1334763
https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20211029-0003/
https://support.apple.com/kb/HT213183
https://www.debian.org/security/2022/dsa-5197
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html