CVE-2021-22947

 

Published at: - 29-09-2021 10:15

Last modified: - 02-09-2022 03:40

Total changes: - 19

Description

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

 

Verification logic

 

Reference

• https://hackerone.com/reports/1334763
• [debian-lts-announce] 20210930 [SECURITY] [DLA 2773-1] curl security update-Mailing List, Third Party Advisory
• FEDORA-2021-fc96a3a749-Mailing List, Third Party Advisory
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://security.netapp.com/advisory/ntap-20211029-0003/
• FEDORA-2021-1d24845e93-Mailing List, Third Party Advisory
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://support.apple.com/kb/HT213183
• 20220314 APPLE-SA-2022-03-14-4 macOS Monterey 12.3-Mailing List, Third Party Advisory
• https://www.oracle.com/security-alerts/cpuapr2022.html
• N/A-
• DSA-5197-
• [debian-lts-announce] 20220828 [SECURITY] [DLA 3085-1] curl security update-

 

Keywords

NVD

 

CVE-2021-22947

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures