Lucene search

[email protected]NVD:CVE-2021-22901

HistoryJun 11, 2021 - 4:15 p.m.

CVE-2021-22901

2021-06-1116:15:11

CWE-416

[email protected]

web.nvd.nist.gov

curl

use-after-free

tls 1.3

remote code execution

openssl

memory buffer

session ticket

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.1

Percentile

94.9%

JSON

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.

Affected configurations

Nvd

Node

haxxcurlRange7.75.0–7.76.1

Node

oraclecommunications_cloud_native_core_binding_support_functionMatch1.11.0

oraclecommunications_cloud_native_core_network_function_cloud_native_environmentMatch1.10.0

oraclecommunications_cloud_native_core_network_repository_functionMatch1.15.0

oraclecommunications_cloud_native_core_network_repository_functionMatch1.15.1

oraclecommunications_cloud_native_core_network_slice_selection_functionMatch1.8.0

oraclecommunications_cloud_native_core_service_communication_proxyMatch1.15.0

oracleessbaseRange<11.1.2.4.047

oracleessbaseRange21.0–21.3

oraclemysql_serverRange≤5.7.34

oraclemysql_serverRange8.0.0–8.0.25

Node

netappactive_iq_unified_managerMatch-vsphere

netappactive_iq_unified_managerMatch-windows

netappcloud_backupMatch-

netapponcommand_insightMatch-

netapponcommand_workflow_automationMatch-

netappsnapcenterMatch-

netappsolidfire\,_enterprise_sds_\&_hci_storage_nodeMatch-

netappsolidfire_\&_hci_management_nodeMatch-

netappsolidfire_baseboard_management_controller_firmwareMatch-

Node

netapphci_compute_node_firmwareMatch-

AND

netapphci_compute_nodeMatch-

Node

netapph300e_firmwareMatch-

AND

netapph300eMatch-

Node

netapph300s_firmwareMatch-

AND

netapph300sMatch-

Node

netapph410s_firmwareMatch-

AND

netapph410sMatch-

Node

netapph500e_firmwareMatch-

AND

netapph500eMatch-

Node

netapph500s_firmwareMatch-

AND

netapph500sMatch-

Node

netapph700e_firmwareMatch-

AND

netapph700eMatch-

Node

netapph700s_firmwareMatch-

AND

netapph700sMatch-

Node

siemenssinec_infrastructure_network_servicesRange<1.0.1.1

Node

splunkuniversal_forwarderRange8.2.0–8.2.12

splunkuniversal_forwarderRange9.0.0–9.0.6

splunkuniversal_forwarderMatch9.1.0

VendorProductVersionCPE
haxxcurl*cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_binding_support_function1.11.0cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_network_function_cloud_native_environment1.10.0cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_network_repository_function1.15.0cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_network_repository_function1.15.1cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_network_slice_selection_function1.8.0cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_service_communication_proxy1.15.0cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
oracleessbase*cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
oraclemysql_server*cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*

Vendor	Product	Version	CPE
haxx	curl	*	cpe:2.3:a:haxx:curl::::::::
oracle	communications_cloud_native_core_binding_support_function	1.11.0	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:::::::*
oracle	communications_cloud_native_core_network_function_cloud_native_environment	1.10.0	cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:::::::*
oracle	communications_cloud_native_core_network_repository_function	1.15.0	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:::::::*
oracle	communications_cloud_native_core_network_repository_function	1.15.1	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:::::::*
oracle	communications_cloud_native_core_network_slice_selection_function	1.8.0	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:::::::*
oracle	communications_cloud_native_core_service_communication_proxy	1.15.0	cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:::::::*
oracle	essbase	*	cpe:2.3:a:oracle:essbase::::::::
oracle	mysql_server	*	cpe:2.3:a:oracle:mysql_server::::::::
netapp	active_iq_unified_manager	-	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vsphere::