Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-22924
HistoryJul 21, 2021 - 12:00 a.m.

CVE-2021-22924

2021-07-2100:00:00
ubuntu.com
ubuntu.com
19

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.002

Percentile

53.6%

libcurl keeps previously used connections in a connection pool for
subsequenttransfers to reuse, if one of them matches the setup.Due to
errors in the logic, the config matching function did not take ‘issuercert’
into account and it compared the involved paths case insensitively,which
could lead to libcurl reusing wrong connections.File paths are, or can be,
case sensitive on many systems but not all, and caneven vary depending on
used file systems.The comparison also didn’t include the ‘issuer cert’
which a transfer can setto qualify how to verify the server certificate.

Notes

Author Note
mdeslaur introduced in 7.10.4
rodrigo-zaiden although the issue was introduced in 7.10.4, versions earlier than 7.52.0 would need at least parts of commit cb4e2be7 so the fix for this CVE can be applied. this change seems quite intrusive and there is a high risk of regressions. hence, versions earlier than 7.52 will be ignored.
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchcurl< 7.58.0-2ubuntu3.14UNKNOWN
ubuntu20.04noarchcurl< 7.68.0-1ubuntu2.6UNKNOWN
ubuntu21.04noarchcurl< 7.74.0-1ubuntu2.1UNKNOWN
ubuntu21.10noarchcurl< 7.74.0-1.2ubuntu4UNKNOWN
ubuntu22.04noarchcurl< 7.74.0-1.2ubuntu4UNKNOWN
ubuntu22.10noarchcurl< 7.74.0-1.2ubuntu4UNKNOWN
ubuntu23.04noarchcurl< 7.74.0-1.2ubuntu4UNKNOWN

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.002

Percentile

53.6%