CVE-2021-22947
moderate-risk
Published 2021-09-29
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
Do I need to act?
-
0.25% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
References (30)
Mailing List
http://seclists.org/fulldisclosure/2022/Mar/29
Third Party Advisory
https://security.gentoo.org/glsa/202212-01
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211029-0003/
Release Notes
https://support.apple.com/kb/HT213183
Third Party Advisory
https://www.debian.org/security/2022/dsa-5197
Mailing List
http://seclists.org/fulldisclosure/2022/Mar/29
and 10 more references
42
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
23/34 · High