Vulnerability Details : CVE-2021-22947

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

Published 2021-09-29 20:15:08

Updated 2023-01-05 18:25:39

Source HackerOne

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-22947

Probability of exploitation activity in the next 30 days: 0.10%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 40 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-22947

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	[email protected]
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	[email protected]
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2021-22947

CWE-310

Assigned by: [email protected] (Secondary)
CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Assigned by: [email protected] (Primary)

References for CVE-2021-22947

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202212-01

Third Party Advisory

CVEs referencing this url
https://support.apple.com/kb/HT213183

Release Notes;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2022.html

Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20211029-0003/

Third Party Advisory

CVEs referencing this url
http://seclists.org/fulldisclosure/2022/Mar/29

Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2022/dsa-5197

Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2021.html

Patch;Third Party Advisory

CVEs referencing this url
https://hackerone.com/reports/1334763

Exploit;Issue Tracking;Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/

Mailing List;Third Party Advisory

CVEs referencing this url
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujul2022.html

Patch;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/[email protected]/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/

Mailing List;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2021-22947

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Apple » Macos
Versions before (<) 12.3
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.57
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.59
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
Matching versions
Oracle » Commerce Guided Search » Version: 11.3.2
cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql Server
Versions from including (>=) 5.7.0 and up to, including, (<=) 5.7.35
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql Server
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.0.26
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.10.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Console » Version: 22.2.0
cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Slice Selection Function » Version: 1.8.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Security Edge Protection Proxy » Version: 22.1.1
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Repository Function » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Repository Function » Version: 1.15.1
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Repository Function » Version: 22.2.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Repository Function » Version: 22.1.2
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Binding Support Function » Version: 1.11.0
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Binding Support Function » Version: 22.1.3
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Service Communication Proxy » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
Matching versions
Siemens » Sinec Infrastructure Network Services
Versions before (<) 1.0.1.1
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Netapp » Clustered Data Ontap » Version: N/A
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » H300s Firmware » Version: N/A
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H300s » Version: N/A
Netapp » H500s Firmware » Version: N/A
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H500s » Version: N/A
Netapp » H700s Firmware » Version: N/A
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H700s » Version: N/A
Netapp » H300e Firmware » Version: N/A
cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H300e » Version: N/A
Netapp » H500e Firmware » Version: N/A
cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H500e » Version: N/A
Netapp » H700e Firmware » Version: N/A
cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H700e » Version: N/A
Netapp » H410s Firmware » Version: N/A
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H410s » Version: N/A
Netapp » Solidfire Baseboard Management Controller Firmware » Version: N/A
cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Solidfire Baseboard Management Controller » Version: N/A
Haxx » Curl
Versions from including (>=) 7.20.0 and before (<) 7.79.0
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Matching versions