Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-22924

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Security Impact Summary

This vulnerability carries a LOW severity rating with a CVSS v3.1 score of 3.7, indicating it can be exploited remotely over the network but requires specific conditions to be met without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts limited data confidentiality, for affected systems. Impacting 53 products from haxx, from fedoraproject, from debian and 50 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2021, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2021-08-05T21:15:11.380

Last Modified

2025-06-09T15:15:24.403

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

8.6

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-20
  • Type: Primary
    CWE-706
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application haxx libcurl < 7.77.0 Yes
Operating System fedoraproject fedora 33 Yes
Operating System debian debian_linux 9.0 Yes
Operating System debian debian_linux 10.0 Yes
Operating System debian debian_linux 11.0 Yes
Application netapp cloud_backup - Yes
Application netapp clustered_data_ontap - Yes
Application netapp solidfire_\&_hci_management_node - Yes
Operating System netapp solidfire_baseboard_management_controller_firmware - Yes
Application oracle mysql_server ≤ 5.7.36 Yes
Application oracle mysql_server ≤ 8.0.26 Yes
Application oracle peoplesoft_enterprise_peopletools 8.57 Yes
Application oracle peoplesoft_enterprise_peopletools 8.58 Yes
Application oracle peoplesoft_enterprise_peopletools 8.59 Yes
Application siemens sinec_infrastructure_network_services < 1.0.1.1 Yes
Application siemens sinema_remote_connect_server < 3.1 Yes
Operating System siemens logo\!_cmr2040_firmware * Yes
Hardware siemens logo\!_cmr2040 - No
Operating System siemens logo\!_cmr2020_firmware * Yes
Hardware siemens logo\!_cmr2020 - No
Operating System siemens ruggedcomrm_1224_lte_firmware < 7.1 Yes
Hardware siemens ruggedcomrm_1224_lte - No
Operating System siemens scalance_m804pb_firmware < 7.1 Yes
Hardware siemens scalance_m804pb - No
Operating System siemens scalance_m812-1_firmware < 7.1 Yes
Hardware siemens scalance_m812-1 - No
Operating System siemens scalance_m816-1_firmware < 7.1 Yes
Hardware siemens scalance_m816-1 - No
Operating System siemens scalance_m826-2_firmware < 7.1 Yes
Hardware siemens scalance_m826-2 - No
Operating System siemens scalance_m874-2_firmware < 7.1 Yes
Hardware siemens scalance_m874-2 - No
Operating System siemens scalance_m874-3_firmware < 7.1 Yes
Hardware siemens scalance_m874-3 - No
Operating System siemens scalance_m876-3_firmware < 7.1 Yes
Hardware siemens scalance_m876-3 - No
Operating System siemens scalance_m876-4_firmware < 7.1 Yes
Hardware siemens scalance_m876-4 - No
Operating System siemens scalance_mum856-1_firmware < 7.1 Yes
Hardware siemens scalance_mum856-1 - No
Operating System siemens scalance_s615_firmware < 7.1 Yes
Hardware siemens scalance_s615 - No
Operating System siemens simatic_cp_1543-1_firmware < 3.0.22 Yes
Hardware siemens simatic_cp_1543-1 - No
Operating System siemens simatic_cp_1545-1_firmware < 1.1 Yes
Hardware siemens simatic_cp_1545-1 - No
Operating System siemens simatic_rtu3010c_firmware < 5.0.14 Yes
Hardware siemens simatic_rtu3010c - No
Operating System siemens simatic_rtu3030c_firmware < 5.0.14 Yes
Hardware siemens simatic_rtu3030c - No
Operating System siemens simatic_rtu3031c_firmware < 5.0.14 Yes
Hardware siemens simatic_rtu3031c - No
Operating System siemens simatic_rtu_3041c_firmware < 5.0.14 Yes
Hardware siemens simatic_rtu_3041c - No
Application siemens sinema_remote_connect < 3.1 Yes
Operating System siemens siplus_net_cp_1543-1_firmware < 3.0.22 Yes
Hardware siemens siplus_net_cp_1543-1 - No
Application splunk universal_forwarder < 8.2.12 Yes
Application splunk universal_forwarder < 9.0.6 Yes
Application splunk universal_forwarder 9.1.0 Yes
References

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For haxx's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.