Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS2-2021-1700

Related Vulnerabilities: CVE-2021-22898   CVE-2021-22922   CVE-2021-22923   CVE-2021-22924   CVE-2021-22925  

A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. (CVE-2021-22898) A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into downloading malicious content. The highest threat from this vulnerability is to integrity. (CVE-2021-22922) A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to gain access to credentials provided while downloading content without the user's knowledge. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22923) A flaw was found in libcurl in the way libcurl handles previously used connections without accounting for 'issuer cert' and comparing the involved paths case-insensitively. This flaw allows libcurl to use the wrong connection. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22924) A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. (CVE-2021-22925)

Source

ALAS2-2021-1700

Amazon Linux 2 Security Advisory: ALAS-2021-1700
Advisory Release Date: 2021-09-08 23:35 Pacific
Advisory Updated Date: 2021-09-15 17:41 Pacific
Severity: Medium
Issue Overview:

A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. (CVE-2021-22898)

A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into downloading malicious content. The highest threat from this vulnerability is to integrity. (CVE-2021-22922)

A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to gain access to credentials provided while downloading content without the user's knowledge. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22923)

A flaw was found in libcurl in the way libcurl handles previously used connections without accounting for 'issuer cert' and comparing the involved paths case-insensitively. This flaw allows libcurl to use the wrong connection. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22924)

A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. (CVE-2021-22925)


Affected Packages:

curl


Issue Correction:
Run yum update curl to update your system.

New Packages:
aarch64:
    curl-7.76.1-7.amzn2.0.2.aarch64
    libcurl-7.76.1-7.amzn2.0.2.aarch64
    libcurl-devel-7.76.1-7.amzn2.0.2.aarch64
    curl-debuginfo-7.76.1-7.amzn2.0.2.aarch64

i686:
    curl-7.76.1-7.amzn2.0.2.i686
    libcurl-7.76.1-7.amzn2.0.2.i686
    libcurl-devel-7.76.1-7.amzn2.0.2.i686
    curl-debuginfo-7.76.1-7.amzn2.0.2.i686

src:
    curl-7.76.1-7.amzn2.0.2.src

x86_64:
    curl-7.76.1-7.amzn2.0.2.x86_64
    libcurl-7.76.1-7.amzn2.0.2.x86_64
    libcurl-devel-7.76.1-7.amzn2.0.2.x86_64
    curl-debuginfo-7.76.1-7.amzn2.0.2.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started