Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-22923
HistoryJul 21, 2021 - 12:00 a.m.

CVE-2021-22923

2021-07-2100:00:00
ubuntu.com
ubuntu.com
16

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

2.6 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

56.7%

When curl is instructed to get content using the metalink feature, and a
user name and password are used to download the metalink XML file, those
same credentials are then subsequently passed on to each of the servers
from which curl will download or try to download the contents from. Often
contrary to the userโ€™s expectations and intentions and without telling the
user it happened.

Notes

Author Note
mdeslaur introduced in 7.27.0 per upstream โ€œcurl has completely removed the metalink feature as of 7.78.0. No fix for this flaw will be produced by the curl project. The fix for earlier versions is to rebuild curl with the metalink support switched off!โ€ Ubuntu builds curl with metalink support switched off already.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

2.6 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

56.7%