CVE-2021-22946
Severity
7.5HIGH
EPSS
0.1%
top 76.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 29
Latest updateOct 15
Description
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possi…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages17 packages
Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 35
Patches
🔴Vulnerability Details
7📋Vendor Advisories
11Oracle▶
Oracle Oracle Commerce Risk Matrix: Framework, Experience Manager (cURL) — CVE-2021-22946↗2022-07-15