CVE-2021-22946
high-risk
Published 2021-09-29
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
Do I need to act?
-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
References (32)
Mailing List
http://seclists.org/fulldisclosure/2022/Mar/29
Third Party Advisory
https://security.gentoo.org/glsa/202212-01
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211029-0003/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220121-0008/
Release Notes
https://support.apple.com/kb/HT213183
Third Party Advisory
https://www.debian.org/security/2022/dsa-5197
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Mailing List
http://seclists.org/fulldisclosure/2022/Mar/29
and 12 more references
50
/ 100
high-risk
Severity
26/34 · High
Exploitability
0/34 · Minimal
Exposure
24/34 · High