CVE-2021-22946

2021-09-2920:15:08

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

67.8%

JSON

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

CPENameOperatorVersion
curleqcurl-7_64_0
curleq7.56.1-r1
curleq7.65.3-r0
curleq7.51.0-r1
curleq7.30.0-r0
curleqcurl-7_40_0
curleq7.45.0-r1
curleq7.77.0-r1
curleq7.60.0-r0
curleq7.21.4-r1

Name	Operator	Version
curl	eq	curl-7_64_0
curl	eq	7.56.1-r1
curl	eq	7.65.3-r0
curl	eq	7.51.0-r1
curl	eq	7.30.0-r0
curl	eq	curl-7_40_0
curl	eq	7.45.0-r1
curl	eq	7.77.0-r1
curl	eq	7.60.0-r0
curl	eq	7.21.4-r1