NA

CVE-2021-22924

Vulnerability Summary

A security issue has been found in curl before version 7.78.0. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take 'issuer cert' into account and it compared the involved paths case insensitively, which could lead to libcurl reusing wrong connections. File paths are, or can be, case sensitive on many systems but not all, and can even vary depending on used file systems. The comparison also didn't include the 'issuer cert' which a transfer can set to qualify how to verify the server certificate.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vendor Advisories

Debian Bug report logs - #991492 curl: CVE-2021-22924 Package: src:curl; Maintainer for src:curl is Alessandro Ghedini <ghedo@debianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Sun, 25 Jul 2021 19:09:02 UTC Severity: important Tags: fixed-upstream, security, upstream Found in version curl/7740-13 ...
A security issue has been found in curl before version 7780 libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup Due to errors in the logic, the config matching function did not take 'issuer cert' into account and it compared the involved paths case insensitively, whi ...
Arch Linux Security Advisory ASA-202107-61 ========================================== Severity: Medium Date : 2021-07-21 CVE-ID : CVE-2021-22924 CVE-2021-22925 Package : libcurl-compat Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-2196 Summary ======= The package libcurl-compat before version 7780-1 i ...
Arch Linux Security Advisory ASA-202107-60 ========================================== Severity: Medium Date : 2021-07-21 CVE-ID : CVE-2021-22924 CVE-2021-22925 Package : lib32-curl Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-2195 Summary ======= The package lib32-curl before version 7780-1 is vulner ...
Arch Linux Security Advisory ASA-202107-64 ========================================== Severity: Medium Date : 2021-07-21 CVE-ID : CVE-2021-22924 CVE-2021-22925 Package : lib32-libcurl-gnutls Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-2199 Summary ======= The package lib32-libcurl-gnutls before versio ...
Arch Linux Security Advisory ASA-202107-62 ========================================== Severity: Medium Date : 2021-07-21 CVE-ID : CVE-2021-22924 CVE-2021-22925 Package : lib32-libcurl-compat Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-2197 Summary ======= The package lib32-libcurl-compat before versio ...
Arch Linux Security Advisory ASA-202107-63 ========================================== Severity: Medium Date : 2021-07-21 CVE-ID : CVE-2021-22924 CVE-2021-22925 Package : libcurl-gnutls Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-2198 Summary ======= The package libcurl-gnutls before version 7780-1 i ...
Arch Linux Security Advisory ASA-202107-59 ========================================== Severity: Medium Date : 2021-07-21 CVE-ID : CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 Package : curl Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-2194 Summary ======= The package curl before version ...

Mailing Lists

Bad connection reuse due to flawed path name checks =================================================== Project curl Security Advisory, July 21st 2021 - [Permalink](curlse/docs/CVE-2021-22924html) VULNERABILITY ------------- libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them ...