CVE-2021-22946
HIGHCVSS 7.5/10EPSS 4.22%
Last modified
CVE-2021-22946 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.. EPSS estimates a 4.22% chance of exploitation in the next 30 days.
Description
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Curl | >= 7.20.0, < 7.79.0 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 33 |
| Fedoraproject | Fedora | 35 |
| Netapp | Cloud Backup | All versions |
| Netapp | Clustered Data Ontap | All versions |
| Netapp | Oncommand Insight | All versions |
| Netapp | Oncommand Workflow Automation | All versions |
| Netapp | Snapcenter | All versions |
| Netapp | H300s Firmware | All versions |
| Netapp | H500s Firmware | All versions |
| Netapp | H700s Firmware | All versions |
| Netapp | H300e Firmware | All versions |
| Netapp | H500e Firmware | All versions |
| Netapp | H700e Firmware | All versions |
| Netapp | H410s Firmware | All versions |
| Netapp | Solidfire Baseboard Management Controller Firmware | All versions |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 |
| Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 1.10.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.15.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.15.1 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.15.0 |
| Oracle | Mysql Server | >= 5.7.0, <= 5.7.35 |
| Oracle | Mysql Server | >= 8.0.0, <= 8.0.26 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Apple | Macos | < 12.3 |
| Siemens | Sinec Infrastructure Network Services | < 1.0.1.1 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 |
| Oracle | Communications Cloud Native Core Console | 22.2.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.1.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.2.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 22.1.1 |
| Splunk | Universal Forwarder | >= 8.2.0, < 8.2.12 |
| Splunk | Universal Forwarder | >= 9.0.0, < 9.0.6 |
| Splunk | Universal Forwarder | 9.1.0 |
References
- http://seclists.org/fulldisclosure/2022/Mar/29Mailing List, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatch, Third Party Advisory
- https://hackerone.com/reports/1334111Exploit, Issue Tracking, Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/09/msg00022.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/Mailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202212-01Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211029-0003/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220121-0008/Third Party Advisory
- https://support.apple.com/kb/HT213183Release Notes, Third Party Advisory
- https://www.debian.org/security/2022/dsa-5197Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- http://seclists.org/fulldisclosure/2022/Mar/29Mailing List, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatch, Third Party Advisory
- https://hackerone.com/reports/1334111Exploit, Issue Tracking, Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/09/msg00022.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/Mailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202212-01Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211029-0003/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220121-0008/Third Party Advisory
- https://support.apple.com/kb/HT213183Release Notes, Third Party Advisory
- https://www.debian.org/security/2022/dsa-5197Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-22946?
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
How severe is CVE-2021-22946?
CVE-2021-22946 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 4.22% probability of exploitation in the next 30 days.
How do I fix CVE-2021-22946?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-22946?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST