CVE-2021-22926

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 05-08-2021 11:15

Last modified: - 16-05-2022 10:14

Total changes: - 15

Description

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

None

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=haxx AND product=curl AND versionStartIncluding=7.33.0 AND versionEndExcluding=7.78.0

vendor=netapp AND product=snapcenter AND version=-

vendor=netapp AND product=oncommand_workflow_automation AND version=-

vendor=netapp AND product=oncommand_insight AND version=-

vendor=netapp AND product=clustered_data_ontap AND version=-

vendor=netapp AND product=solidfire AND version=-

vendor=netapp AND product=hci_management_node AND version=-

vendor=netapp AND product=active_iq_unified_manager AND version=- AND target_software=vmware_vsphere

vendor=netapp AND product=active_iq_unified_manager AND version=- AND target_software=windows

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.57

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.58

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.59

vendor=oracle AND product=mysql_server AND versionEndIncluding=8.0.26 AND versionStartIncluding=8.0.0

vendor=oracle AND product=mysql_server AND versionEndIncluding=5.7.35 AND versionStartIncluding=5.7.0

vendor=siemens AND product=sinec_infrastructure_network_services AND versionEndExcluding=1.0.1.1

Reference

https://hackerone.com/reports/1234760
[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image-Mailing List, Third Party Advisory
[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image-Mailing List, Third Party Advisory
[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image-Mailing List, Third Party Advisory
[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image-Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210902-0003/
https://www.oracle.com/security-alerts/cpuoct2021.html
https://security.netapp.com/advisory/ntap-20211022-0003/
https://www.oracle.com/security-alerts/cpujan2022.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Keywords

CVE-2021-22926

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-22926

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures