CVE-2021-22924
LOWCVSS 3.7/10EPSS 6.27%
Last modified
CVE-2021-22924 is a low-severity vulnerability rated 3.7/10 on the CVSS scale. libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.. EPSS estimates a 6.27% chance of exploitation in the next 30 days.
Description
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Libcurl | >= 7.10.4, < 7.77.0 |
| Fedoraproject | Fedora | 33 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Netapp | Cloud Backup | All versions |
| Netapp | Clustered Data Ontap | All versions |
| Netapp | Solidfire \& Hci Management Node | All versions |
| Netapp | Solidfire Baseboard Management Controller Firmware | All versions |
| Oracle | Mysql Server | >= 5.7.0, <= 5.7.36 |
| Oracle | Mysql Server | >= 8.0.0, <= 8.0.26 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Siemens | Sinec Infrastructure Network Services | < 1.0.1.1 |
| Siemens | Sinema Remote Connect Server | < 3.1 |
| Siemens | Logo\! Cmr2040 Firmware | All versions |
| Siemens | Logo\! Cmr2020 Firmware | All versions |
| Siemens | Ruggedcomrm 1224 Lte Firmware | < 7.1 |
| Siemens | Scalance M804pb Firmware | < 7.1 |
| Siemens | Scalance M812-1 Firmware | < 7.1 |
| Siemens | Scalance M816-1 Firmware | < 7.1 |
| Siemens | Scalance M826-2 Firmware | < 7.1 |
| Siemens | Scalance M874-2 Firmware | < 7.1 |
| Siemens | Scalance M874-3 Firmware | < 7.1 |
| Siemens | Scalance M876-3 Firmware | < 7.1 |
| Siemens | Scalance M876-4 Firmware | < 7.1 |
| Siemens | Scalance Mum856-1 Firmware | < 7.1 |
| Siemens | Scalance S615 Firmware | < 7.1 |
| Siemens | Simatic Cp 1543-1 Firmware | < 3.0.22 |
| Siemens | Simatic Cp 1545-1 Firmware | < 1.1 |
| Siemens | Simatic Rtu3010c Firmware | < 5.0.14 |
| Siemens | Simatic Rtu3030c Firmware | < 5.0.14 |
| Siemens | Simatic Rtu3031c Firmware | < 5.0.14 |
| Siemens | Simatic Rtu 3041c Firmware | < 5.0.14 |
| Siemens | Sinema Remote Connect | < 3.1 |
| Siemens | Siplus Net Cp 1543-1 Firmware | < 3.0.22 |
| Splunk | Universal Forwarder | >= 8.2.0, < 8.2.12 |
| Splunk | Universal Forwarder | >= 9.0.0, < 9.0.6 |
| Splunk | Universal Forwarder | 9.1.0 |
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatch, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdfThird Party Advisory
- https://hackerone.com/reports/1223565Exploit, Issue Tracking, Patch, Third Party Advisory
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3EMailing List, Third Party Advisory
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3EMailing List, Third Party Advisory
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3EMailing List, Third Party Advisory
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3EMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/08/msg00017.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210902-0003/Third Party Advisory
- https://www.debian.org/security/2022/dsa-5197Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatch, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdfThird Party Advisory
- https://hackerone.com/reports/1223565Exploit, Issue Tracking, Patch, Third Party Advisory
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3EMailing List, Third Party Advisory
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3EMailing List, Third Party Advisory
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3EMailing List, Third Party Advisory
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3EMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/08/msg00017.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210902-0003/Third Party Advisory
- https://www.debian.org/security/2022/dsa-5197Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-22924?
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
How severe is CVE-2021-22924?
CVE-2021-22924 has a CVSS score of 3.7/10 (LOW severity). The EPSS model estimates a 6.27% probability of exploitation in the next 30 days.
How do I fix CVE-2021-22924?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-22924?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST