CVE-2021-22924: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic…

low3.7CVSS 3.1

AVNACHPRNUINSUCLINAN

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Affected

44 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	curl	< curl 7.79.1-1 (bookworm)	curl 7.79.1-1 (bookworm)
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
fedoraproject	fedora	—	—
haxx	curl	>= 0 < 7.74.0-1.3+deb11u2	7.74.0-1.3+deb11u2
haxx	curl	>= 0 < 7.79.1-1	7.79.1-1
haxx	curl	>= 0 < 7.79.1-1	7.79.1-1
haxx	curl	>= 0 < 7.79.1-1	7.79.1-1
haxx	curl	>= 0 < 7.58.0-2ubuntu3.14	7.58.0-2ubuntu3.14
haxx	curl	>= 0 < 7.68.0-1ubuntu2.6	7.68.0-1ubuntu2.6
haxx	libcurl	>= 7.10.4 < 7.77.0	7.77.0
https	github.com_curl_curl	—	—
msrc	cbl2_curl_7.76.0-5_on_cbl_mariner_2.0	—	—
msrc	cm1_curl_7.76.0-5_on_cbl_mariner_1.0	—	—
oracle	mysql_server	5.7.0 – 5.7.36	—
oracle	mysql_server	8.0.0 – 8.0.26	—
oracle	peoplesoft_enterprise_peopletools	—	—
oracle	peoplesoft_enterprise_peopletools	—	—
oracle	peoplesoft_enterprise_peopletools	—	—
siemens	ruggedcomrm_1224_lte_firmware	< 7.1	7.1
siemens	scalance_m804pb_firmware	< 7.1	7.1
siemens	scalance_m812-1_firmware	< 7.1	7.1
siemens	scalance_m816-1_firmware	< 7.1	7.1
siemens	scalance_m826-2_firmware	< 7.1	7.1

CVSS provenance

nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

osv3.7LOW