Lucene search

K
cve[email protected]CVE-2021-22923
HistoryAug 05, 2021 - 9:15 p.m.

CVE-2021-22923

2021-08-0521:15:11
CWE-319
CWE-522
web.nvd.nist.gov
250
3
cve
2021
22923
curl
metalink
credentials
leakage
nvd
security

2.6 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

6.1 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.7%

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user’s expectations and intentions and without telling the user it happened.

Affected configurations

NVD
Node
haxxcurlRange7.27.07.78.0
Node
fedoraprojectfedoraMatch33
Node
netappcloud_backupMatch-
OR
netappclustered_data_ontapMatch-
OR
netapphci_management_nodeMatch-
OR
netappsolidfireMatch-
Node
oraclemysql_serverRange5.7.05.7.35
OR
oraclemysql_serverRange8.0.08.0.26
Node
siemenssinec_infrastructure_network_servicesRange<1.0.1.1
Node
netapph300s_firmwareMatch-
AND
netapph300sMatch-
Node
netapph500s_firmwareMatch-
AND
netapph500sMatch-
Node
netapph700s_firmwareMatch-
AND
netapph700sMatch-
Node
netapph300e_firmwareMatch-
AND
netapph300eMatch-
Node
netapph500e_firmwareMatch-
AND
netapph500eMatch-
Node
netapph700e_firmwareMatch-
AND
netapph700eMatch-
Node
netapph410s_firmwareMatch-
AND
netapph410sMatch-
Node
splunkuniversal_forwarderRange8.2.08.2.12
OR
splunkuniversal_forwarderRange9.0.09.0.6
OR
splunkuniversal_forwarderMatch9.1.0
CPENameOperatorVersion
haxx:curlhaxx curllt7.78.0

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "https://github.com/curl/curl",
    "versions": [
      {
        "version": "curl 7.27.0 to and including 7.77.0",
        "status": "affected"
      }
    ]
  }
]

Social References

More

2.6 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

6.1 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.7%