Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
446
VMScore

CVE-2021-22946

Published: 29/09/2021 Updated: 27/03/2024
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Curl

Vulnerability Summary

A security issue was found in curl prior to 7.79.0. A user can tell curl to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response. This flaw would then make curl silently continue its operations without TLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

haxx curl

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

fedoraproject fedora 33

fedoraproject fedora 35

netapp cloud backup -

netapp snapcenter -

netapp oncommand workflow automation -

netapp oncommand insight -

netapp clustered data ontap -

netapp h300s_firmware -

netapp h500s_firmware -

netapp h700s_firmware -

netapp h300e_firmware -

netapp h500e_firmware -

netapp h700e_firmware -

netapp h410s_firmware -

netapp solidfire_baseboard_management_controller_firmware -

oracle peoplesoft enterprise peopletools 8.57

oracle peoplesoft enterprise peopletools 8.58

oracle peoplesoft enterprise peopletools 8.59

oracle mysql server

oracle communications cloud native core network slice selection function 1.8.0

oracle communications cloud native core network repository function 1.15.0

oracle communications cloud native core network function cloud native environment 1.10.0

oracle communications cloud native core service communication proxy 1.15.0

oracle communications cloud native core network repository function 1.15.1

oracle communications cloud native core binding support function 1.11.0

apple macos

siemens sinec infrastructure network services

oracle commerce guided search 11.3.2

oracle communications cloud native core network repository function 22.1.0

oracle communications cloud native core binding support function 22.1.3

oracle communications cloud native core network repository function 22.2.0

oracle communications cloud native core security edge protection proxy 22.1.1

oracle communications cloud native core console 22.2.0

splunk universal forwarder 9.1.0

splunk universal forwarder

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2021-22946: ftp,imap,pop3: do not ignore ssl-reqd
Debian Bug report logs - #1017589 CVE-2021-22946: ftp,imap,pop3: do not ignore ssl-reqd Package: libcurl4; Maintainer for libcurl4 is Alessandro Ghedini <ghedo@debianorg>; Source for libcurl4 is src:curl (PTS, buildd, popcon) Reported by: Akira Shibakawa <arabishi900@gmailcom> Date: Thu, 18 Aug 2022 03:30:01 UTC S ...
Red Hat: Moderate: curl security update
Synopsis Moderate: curl security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for curl is now available for Red Hat Enterprise Linux 82 Extended Update SupportRed Hat Product Security has rated this u ...
Red Hat: Moderate: rh-dotnet31-curl security update
Synopsis Moderate: rh-dotnet31-curl security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for rh-dotnet31-curl is now available for NET Core on Red Hat Enterprise LinuxRed Hat Product Security has rat ...
Red Hat: Moderate: OpenShift Container Platform 4.10.3 security update
Synopsis Moderate: OpenShift Container Platform 4103 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4103 is now available withupdates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a security impact of ...
Red Hat: Important: Service Telemetry Framework 1.4 security update
Synopsis Important: Service Telemetry Framework 14 security update Type/Severity Security Advisory: Important Topic An update is now available for Service Telemetry Framework 14 for RHEL 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which g ...
Debian Security Advisories: DSA-5197-1 curl -- security update
Multiple security vulnerabilities have been discovered in cURL, an URL transfer library These flaws may allow remote attackers to obtain sensitive information, leak authentication or cookie header data or facilitate a denial of service attack For the stable distribution (bullseye), these problems have been fixed in version 7740-13+deb11u2 We ...
Amazon Linux AMI: ALAS-2021-1549
A flaw was found in curl This flaw lies in the --ssl-reqd option or related settings in libcurl Users specify this flag to upgrade to TLS when communicating with either IMAP, POP3 or a FTP server An attacker controlling such servers could return a crafted response which could lead to curl client continue its operation without TLS encryption lead ...
Amazon Linux 2: ALAS2-2021-1724
A flaw was found in libcurl When sending data to an MQTT server could in some situations lead to libcurl using already freed memory and then try to free it again The highest threat from this vulnerability is to data confidentiality as well as system availability (CVE-2021-22945) A flaw was found in curl This flaw lies in the --ssl-reqd option o ...
Arch Linux Issues:
A security issue was found in curl before 7790 A user can tell curl to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl) This requirement could be bypassed if the server would return a properly crafted but ...
Apple: macOS Monterey 12.3
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID&nbsp ...

ICS Advisories

Siemens SINEC INS
Critical Infrastructure Sectors: Energy
https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing

Github Repositories

https://github.com/hetmehtaa/bug-bounty-noob

Bug-Bounty-n00b ( Yet to organize! Will Update Soon ) That tweet is only intended for Beginners/Freshers in bug bounty hunting who just started learning about this or want to start! If you are already doing hunting or doing labs then Maybe this won't be too much helpful to you Thanks! It all depends on interest and hard work, not on degree, age, branch, college, etc Wha

https://github.com/Mehedi-Babu/bug_bounty_begginer

bug-bounty-noob ( Yet to organize! Will Update Soon ) That tweet is only intended for Beginners/Freshers in bug bounty hunting who just started learning about this or want to start! If you are already doing hunting or doing labs then Maybe this won't be too much helpful to you Thanks! It all depends on interest and hard work, not on degree, age, branch, college, etc Wha

References

CWE-319https://hackerone.com/reports/1334111https://lists.debian.org/debian-lts-announce/2021/09/msg00022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://security.netapp.com/advisory/ntap-20211029-0003/https://security.netapp.com/advisory/ntap-20220121-0008/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://support.apple.com/kb/HT213183http://seclists.org/fulldisclosure/2022/Mar/29https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.debian.org/security/2022/dsa-5197https://lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlhttps://security.gentoo.org/glsa/202212-01https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017589https://nvd.nist.govhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-069-09https://www.debian.org/security/2022/dsa-5197https://security.archlinux.org/CVE-2021-22946
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
hardcodedarbitrary codeCVE-2024-2404CVE-2024-21111CVE-2024-28627CVE-2024-4073information disclosureCVE-2024-32780CVE-2024-4040
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook