When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

Affected Software

CPE Name Name Version
haxx:curl haxx curl 7.78.0
fedoraproject:fedora fedoraproject fedora 33
netapp:cloud_backup netapp cloud backup -
netapp:clustered_data_ontap netapp clustered data ontap -
netapp:solidfire netapp solidfire -
netapp:hci_management_node netapp hci management node -
oracle:mysql_server oracle mysql server 8.0.26
oracle:mysql_server oracle mysql server 5.7.35
siemens:sinec_infrastructure_network_services siemens sinec infrastructure network services
netapp:h300s_firmware netapp h300s firmware -
netapp:h500s_firmware netapp h500s firmware -
netapp:h700s_firmware netapp h700s firmware -
netapp:h300e_firmware netapp h300e firmware -
netapp:h500e_firmware netapp h500e firmware -
netapp:h700e_firmware netapp h700e firmware -
netapp:h410s_firmware netapp h410s firmware -