CVE-2021-22901

CWE-416Use After Free11 documents9 sources
Severity
8.1HIGH
EPSS
0.3%
top 42.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Oracle EssbaseSiemens Sinec Infrastructure Network ServicesSplunk Universal Forwarder+8 more
Timeline
PublishedJun 11
Latest updateMay 24

Description

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages12 packages

CVEListV5https://github.com/curl/curl7.75.0 through 7.76.1
NVDoracle/mysql_server8.0.08.0.25+1

Patches

Patch: cert-portal.siemens.comPatch: curl.sePatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-vjwf-ghhc-2p8q: curl 72022-05-24
CVEList
CVE-2021-22901: curl 72021-06-11
OSV
CVE-2021-22901: curl 72021-06-11

📋Vendor Advisories

6
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (cURL) — CVE-2021-229012022-04-15
Oracle
Oracle Oracle Essbase Risk Matrix: Build (cURL) — CVE-2021-229012022-01-15
Oracle
Oracle Oracle MySQL Risk Matrix: Server: Packaging (curl) — CVE-2021-229012021-07-15
Microsoft
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use 2021-06-08
Red Hat
curl: Use-after-free in TLS session handling when using OpenSSL TLS backend2021-05-26

💬Community

1
HackerOne
CVE-2021-22901: TLS session caching disaster2021-05-26