Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2021-22947
Analyzed
More InfoOfficial Page
Source-support@hackerone.com
View Known Exploited Vulnerability (KEV) details
Published At-29 Sep, 2021 | 20:15
Updated At-27 Mar, 2024 | 15:03

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
CURL
haxx
>>curl>>Versions from 7.20.0(inclusive) to 7.79.0(exclusive)
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Fedora Project
fedoraproject
>>fedora>>33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Fedora Project
fedoraproject
>>fedora>>35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Debian GNU/Linux
debian
>>debian_linux>>9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Debian GNU/Linux
debian
>>debian_linux>>10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Debian GNU/Linux
debian
>>debian_linux>>11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>cloud_backup>>-
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>clustered_data_ontap>>-
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h300s_firmware>>-
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h300s>>-
cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h500s_firmware>>-
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h500s>>-
cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h700s_firmware>>-
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h700s>>-
cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h300e_firmware>>-
cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h300e>>-
cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h500e_firmware>>-
cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h500e>>-
cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h700e_firmware>>-
cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h700e>>-
cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h410s_firmware>>-
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>h410s>>-
cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>solidfire_baseboard_management_controller_firmware>>-
cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
NetApp, Inc.
netapp
>>solidfire_baseboard_management_controller>>-
cpe:2.3:h:netapp:solidfire_baseboard_management_controller:-:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_binding_support_function>>1.11.0
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_network_function_cloud_native_environment>>1.10.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_network_repository_function>>1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_network_repository_function>>1.15.1
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_network_slice_selection_function>>1.8.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_service_communication_proxy>>1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>mysql_server>>Versions from 5.7.0(inclusive) to 5.7.35(inclusive)
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>mysql_server>>Versions from 8.0.0(inclusive) to 8.0.26(inclusive)
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>peoplesoft_enterprise_peopletools>>8.57
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>peoplesoft_enterprise_peopletools>>8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>peoplesoft_enterprise_peopletools>>8.59
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
Siemens AG
siemens
>>sinec_infrastructure_network_services>>Versions before 1.0.1.1(exclusive)
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
Apple Inc.
apple
>>macos>>Versions before 12.3(exclusive)
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>commerce_guided_search>>11.3.2
cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_binding_support_function>>22.1.3
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_console>>22.2.0
cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_network_repository_function>>22.1.2
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_network_repository_function>>22.2.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>communications_cloud_native_core_security_edge_protection_proxy>>22.1.1
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*
Splunk LLC (Cisco Systems, Inc.)
splunk
>>universal_forwarder>>Versions from 8.2.0(inclusive) to 8.2.12(exclusive)
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
Splunk LLC (Cisco Systems, Inc.)
splunk
>>universal_forwarder>>Versions from 9.0.0(inclusive) to 9.0.6(exclusive)
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
Splunk LLC (Cisco Systems, Inc.)
splunk
>>universal_forwarder>>9.1.0
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-345Primarynvd@nist.gov
CWE-310Secondarysupport@hackerone.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://seclists.org/fulldisclosure/2022/Mar/29support@hackerone.com
Mailing List
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfsupport@hackerone.com
Patch
Third Party Advisory
https://hackerone.com/reports/1334763support@hackerone.com
Exploit
Issue Tracking
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00022.htmlsupport@hackerone.com
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlsupport@hackerone.com
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/support@hackerone.com
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/support@hackerone.com
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/202212-01support@hackerone.com
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211029-0003/support@hackerone.com
Third Party Advisory
https://support.apple.com/kb/HT213183support@hackerone.com
Release Notes
Third Party Advisory
https://www.debian.org/security/2022/dsa-5197support@hackerone.com
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlsupport@hackerone.com
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlsupport@hackerone.com
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlsupport@hackerone.com
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlsupport@hackerone.com
Patch
Third Party Advisory
Change History
0Changes found
Details not found