CVE-2021-22924
Severity
3.7LOW
EPSS
0.7%
top 26.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 5
Latest updateMay 24
Description
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issue…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4
Affected Packages28 packages
Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-qhhj-q26m-mrw8: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup↗2022-05-24
CVEList▶
CVE-2021-22924: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup↗2021-08-05
OSV▶
CVE-2021-22924: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup↗2021-08-05
📋Vendor Advisories
4Microsoft▶
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup.Due to errors in the logic the config matching function did not take 'i↗2021-08-10
Debian▶
CVE-2021-22924: curl - libcurl keeps previously used connections in a connection pool for subsequenttra...↗2021