7.5
CVE-2021-22946
- EPSS 4.22%
- Veröffentlicht 29.09.2021 20:15:08
- Zuletzt bearbeitet 16.04.2026 15:16:44
- Quelle support@hackerone.com
- CVE-Watchlists
- Unerledigt
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Debian ≫ Debian Linux Version11.0
Fedoraproject ≫ Fedora Version33
Fedoraproject ≫ Fedora Version35
Netapp ≫ Cloud Backup Version-
Netapp ≫ Clustered Data Ontap Version-
Netapp ≫ Oncommand Insight Version-
Netapp ≫ Oncommand Workflow Automation Version-
Netapp ≫ Snapcenter Version-
Netapp ≫ H300s Firmware Version-
Netapp ≫ H500s Firmware Version-
Netapp ≫ H700s Firmware Version-
Netapp ≫ H300e Firmware Version-
Netapp ≫ H500e Firmware Version-
Netapp ≫ H700e Firmware Version-
Netapp ≫ H410s Firmware Version-
Oracle ≫ Communications Cloud Native Core Binding Support Function Version1.11.0
Oracle ≫ Communications Cloud Native Core Network Repository Function Version1.15.0
Oracle ≫ Communications Cloud Native Core Network Repository Function Version1.15.1
Oracle ≫ Communications Cloud Native Core Service Communication Proxy Version1.15.0
Oracle ≫ Mysql Server Version >= 5.7.0 <= 5.7.35
Oracle ≫ Mysql Server Version >= 8.0.0 <= 8.0.26
Oracle ≫ Peoplesoft Enterprise Peopletools Version8.57
Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58
Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59
Siemens ≫ Sinec Infrastructure Network Services Version < 1.0.1.1
Oracle ≫ Commerce Guided Search Version11.3.2
Oracle ≫ Communications Cloud Native Core Binding Support Function Version22.1.3
Oracle ≫ Communications Cloud Native Core Console Version22.2.0
Oracle ≫ Communications Cloud Native Core Network Repository Function Version22.1.0
Oracle ≫ Communications Cloud Native Core Network Repository Function Version22.2.0
Splunk ≫ Universal Forwarder Version >= 8.2.0 < 8.2.12
Splunk ≫ Universal Forwarder Version >= 9.0.0 < 9.0.6
Splunk ≫ Universal Forwarder Version9.1.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.22% | 0.897 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-319 Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE-325 Missing Cryptographic Step
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://www.debian.org/security/2022/dsa-5197
http://seclists.org/fulldisclosure/2022/Mar/29
https://support.apple.com/kb/HT213183
https://security.gentoo.org/glsa/202212-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
https://security.netapp.com/advisory/ntap-20211029-0003/
https://hackerone.com/reports/1334111
https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
https://security.netapp.com/advisory/ntap-20220121-0008/