CVE-2021-22946

Updated: 2024-03-27 21:34:19.265648

Description:

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 5
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU curl 7.76.1 7.5 HIGH Not Vulnerable 2023-11-08 08:36:09
CentOS 6 ELS curl 7.19.7 7.5 HIGH Not Vulnerable 2022-04-19 21:49:46
CentOS 6 ELS mysql 5.1.73 7.5 HIGH Not Vulnerable 2022-07-18 16:26:02
CentOS 7 ELS curl 7.29.0 7.5 HIGH Not Vulnerable 2023-10-31 14:09:37
CentOS 8.4 ELS curl 7.61.1 7.5 HIGH Not Vulnerable 2022-04-19 21:49:46
CentOS 8.4 ELS mysql 8.0.26 7.5 HIGH Not Vulnerable 2022-04-19 21:50:04
CentOS 8.5 ELS curl 7.61.1 7.5 HIGH Not Vulnerable 2022-04-19 21:49:46
CentOS 8.5 ELS mysql 8.0.26 7.5 HIGH Not Vulnerable 2022-04-19 21:50:04
CloudLinux 6 ELS curl 7.19.7 7.5 HIGH Not Vulnerable 2022-04-19 21:49:46
CloudLinux 6 ELS mysql 5.1.73 7.5 HIGH Not Vulnerable 2022-07-18 16:26:02
Total: 16