7.5

CVE-2021-22946

Exploit
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HaxxCurl Version >= 7.20.0 < 7.79.0
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
FedoraprojectFedora Version33
FedoraprojectFedora Version35
NetappCloud Backup Version-
NetappOncommand Insight Version-
NetappSnapcenter Version-
NetappH300s Firmware Version-
   NetappH300s Version-
NetappH500s Firmware Version-
   NetappH500s Version-
NetappH700s Firmware Version-
   NetappH700s Version-
NetappH300e Firmware Version-
   NetappH300e Version-
NetappH500e Firmware Version-
   NetappH500e Version-
NetappH700e Firmware Version-
   NetappH700e Version-
NetappH410s Firmware Version-
   NetappH410s Version-
OracleMysql Server Version >= 5.7.0 <= 5.7.35
OracleMysql Server Version >= 8.0.0 <= 8.0.26
ApplemacOS Version < 12.3
OracleCommerce Guided Search Version11.3.2
SplunkUniversal Forwarder Version >= 8.2.0 < 8.2.12
SplunkUniversal Forwarder Version >= 9.0.0 < 9.0.6
SplunkUniversal Forwarder Version9.1.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.22% 0.897
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CWE-325 Missing Cryptographic Step

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
Third Party Advisory
Mailing List
https://www.debian.org/security/2022/dsa-5197
Third Party Advisory
http://seclists.org/fulldisclosure/2022/Mar/29
Third Party Advisory
Mailing List
https://support.apple.com/kb/HT213183
Third Party Advisory
Release Notes
https://security.gentoo.org/glsa/202212-01
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
Third Party Advisory
Mailing List
https://security.netapp.com/advisory/ntap-20211029-0003/
Third Party Advisory
https://hackerone.com/reports/1334111
Patch
Third Party Advisory
Exploit
Issue Tracking
https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
Third Party Advisory
Mailing List
https://security.netapp.com/advisory/ntap-20220121-0008/
Third Party Advisory