Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
232
VMScore

CVE-2021-22923

Published: 05/08/2021 Updated: 27/03/2024
CVSS v2 Base Score: 2.6 | Impact Score: 2.9 | Exploitability Score: 4.9
CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6
VMScore: 232
Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N
Subscribe to Haxx

Vulnerability Summary

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

haxx curl

fedoraproject fedora 33

netapp cloud backup -

netapp clustered data ontap -

netapp solidfire -

netapp hci management node -

oracle mysql server

siemens sinec infrastructure network services

netapp h300s_firmware -

netapp h500s_firmware -

netapp h700s_firmware -

netapp h300e_firmware -

netapp h500e_firmware -

netapp h700e_firmware -

netapp h410s_firmware -

splunk universal forwarder 9.1.0

splunk universal forwarder

Vendor Advisories

Amazon Linux 2: ALAS2-2021-1700
A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol (CVE-2021-22898) A flaw was found in ...
Red Hat: CVE-2021-22923
A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink feature This flaw allows malicious actors controlling a hosting server to gain access to credentials provided while downloading content without the user's knowledge The highest threat from this vulnerability is to confidentiality ...
Arch Linux Issues:
A security issue has been found in curl before version 7780 When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from; of ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing
Siemens SINEC INS
Critical Infrastructure Sectors: Energy

References

CWE-319CWE-522https://hackerone.com/reports/1213181https://security.netapp.com/advisory/ntap-20210902-0003/https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://security.gentoo.org/glsa/202212-01https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/https://nvd.nist.govhttps://alas.aws.amazon.com/AL2/ALAS-2021-1700.htmlhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-069-09https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook