CVE-2021-22947

CWE-310CWE-345CWE-319Cleartext Transmission15 documents11 sources
Severity
5.9MEDIUM
EPSS
0.3%
top 51.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
17
Apple MacosHaxx CurlSiemens Sinec Infrastructure Network Services+14 more
Timeline
PublishedSep 29
Latest updateMay 24

Description

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, th

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages16 packages

NVDhaxx/curl7.20.07.79.0
Debiancurl< 7.74.0-1.3+deb11u2+3
NVDoracle/mysql_server5.7.05.7.35+1
CVEListV5https://github.com/curl/curlcurl 7.20.0 to and including 7.78.0

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 35

Patches

Patch: cert-portal.siemens.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

6
GHSA
GHSA-94jh-wwgf-cmmc: When curl >= 72022-05-24
CVEList
CVE-2021-22947: When curl >= 72021-09-29
OSV
CVE-2021-22947: When curl >= 72021-09-29
OSV
curl regression2021-09-21
OSV
curl vulnerabilities2021-09-15

📋Vendor Advisories

6
Apple
CVE-2021-22947: macOS Monterey 12.32022-03-14
Microsoft
Open Source Curl Remote Code Execution Vulnerability2022-01-11
Ubuntu
curl vulnerabilities2021-09-15
Ubuntu
curl vulnerabilities2021-09-15
Red Hat
curl: Server responses received before STARTTLS processed after TLS handshake2021-09-15

💬Community

1
HackerOne
CVE-2021-22947: STARTTLS protocol injection via MITM2021-09-24