Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-22924

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Published

2021-08-05T21:15:11.380

Last Modified

2025-06-09T15:15:24.403

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-20
Type: Primary
CWE-706

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	haxx	libcurl	< 7.77.0	Yes
Operating System	fedoraproject	fedora	33	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Application	netapp	cloud_backup	-	Yes
Application	netapp	clustered_data_ontap	-	Yes
Application	netapp	solidfire_\&_hci_management_node	-	Yes
Operating System	netapp	solidfire_baseboard_management_controller_firmware	-	Yes
Application	oracle	mysql_server	≤ 5.7.36	Yes
Application	oracle	mysql_server	≤ 8.0.26	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.57	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	siemens	sinec_infrastructure_network_services	< 1.0.1.1	Yes
Application	siemens	sinema_remote_connect_server	< 3.1	Yes
Operating System	siemens	logo\!_cmr2040_firmware	*	Yes
Hardware	siemens	logo\!_cmr2040	-	No
Operating System	siemens	logo\!_cmr2020_firmware	*	Yes
Hardware	siemens	logo\!_cmr2020	-	No
Operating System	siemens	ruggedcomrm_1224_lte_firmware	< 7.1	Yes
Hardware	siemens	ruggedcomrm_1224_lte	-	No
Operating System	siemens	scalance_m804pb_firmware	< 7.1	Yes
Hardware	siemens	scalance_m804pb	-	No
Operating System	siemens	scalance_m812-1_firmware	< 7.1	Yes
Hardware	siemens	scalance_m812-1	-	No
Operating System	siemens	scalance_m816-1_firmware	< 7.1	Yes
Hardware	siemens	scalance_m816-1	-	No
Operating System	siemens	scalance_m826-2_firmware	< 7.1	Yes
Hardware	siemens	scalance_m826-2	-	No
Operating System	siemens	scalance_m874-2_firmware	< 7.1	Yes
Hardware	siemens	scalance_m874-2	-	No
Operating System	siemens	scalance_m874-3_firmware	< 7.1	Yes
Hardware	siemens	scalance_m874-3	-	No
Operating System	siemens	scalance_m876-3_firmware	< 7.1	Yes
Hardware	siemens	scalance_m876-3	-	No
Operating System	siemens	scalance_m876-4_firmware	< 7.1	Yes
Hardware	siemens	scalance_m876-4	-	No
Operating System	siemens	scalance_mum856-1_firmware	< 7.1	Yes
Hardware	siemens	scalance_mum856-1	-	No
Operating System	siemens	scalance_s615_firmware	< 7.1	Yes
Hardware	siemens	scalance_s615	-	No
Operating System	siemens	simatic_cp_1543-1_firmware	< 3.0.22	Yes
Hardware	siemens	simatic_cp_1543-1	-	No
Operating System	siemens	simatic_cp_1545-1_firmware	< 1.1	Yes
Hardware	siemens	simatic_cp_1545-1	-	No
Operating System	siemens	simatic_rtu3010c_firmware	< 5.0.14	Yes
Hardware	siemens	simatic_rtu3010c	-	No
Operating System	siemens	simatic_rtu3030c_firmware	< 5.0.14	Yes
Hardware	siemens	simatic_rtu3030c	-	No
Operating System	siemens	simatic_rtu3031c_firmware	< 5.0.14	Yes
Hardware	siemens	simatic_rtu3031c	-	No
Operating System	siemens	simatic_rtu_3041c_firmware	< 5.0.14	Yes
Hardware	siemens	simatic_rtu_3041c	-	No
Application	siemens	sinema_remote_connect	< 3.1	Yes
Operating System	siemens	siplus_net_cp_1543-1_firmware	< 3.0.22	Yes
Hardware	siemens	siplus_net_cp_1543-1	-	No
Application	splunk	universal_forwarder	< 8.2.12	Yes
Application	splunk	universal_forwarder	< 9.0.6	Yes
Application	splunk	universal_forwarder	9.1.0	Yes

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch, Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf Third Party Advisory ([email protected])
https://hackerone.com/reports/1223565 Exploit, Issue Tracking, Patch, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20210902-0003/ Third Party Advisory ([email protected])
https://www.debian.org/security/2022/dsa-5197 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1223565 Exploit, Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20210902-0003/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5197 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)