Description

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Related CPE's

a

haxx

curl

Vulnerable

o

debian

debian_linux

3

o

fedoraproject

fedora

2

a

netapp

cloud_backup

-

Vulnerable

a

netapp

clustered_data_ontap

-

Vulnerable

a

netapp

oncommand_insight

-

Vulnerable

a

netapp

oncommand_workflow_automation

-

Vulnerable

a

netapp

snapcenter

-

Vulnerable

o

netapp

h300s_firmware

-

Vulnerable

h

netapp

h300s

-

o

netapp

h500s_firmware

-

Vulnerable

h

netapp

h500s

-

o

netapp

h700s_firmware

-

Vulnerable

h

netapp

h700s

-

o

netapp

h300e_firmware

-

Vulnerable

h

netapp

h300e

-

o

netapp

h500e_firmware

-

Vulnerable

h

netapp

h500e

-

o

netapp

h700e_firmware

-

Vulnerable

h

netapp

h700e

-

o

netapp

h410s_firmware

-

Vulnerable

h

netapp

h410s

-

o

netapp

solidfire_baseboard_management_controller_firmware

-

Vulnerable

h

netapp

solidfire_baseboard_management_controller

-

a

oracle

communications_cloud_native_core_binding_support_function

2

a

oracle

communications_cloud_native_core_network_function_cloud_native_environment

1.10.0

Vulnerable

a

oracle

communications_cloud_native_core_network_repository_function

4

a

oracle

communications_cloud_native_core_network_slice_selection_function

1.8.0

Vulnerable

a

oracle

communications_cloud_native_core_service_communication_proxy

1.15.0

Vulnerable

a

oracle

mysql_server

2

a

oracle

peoplesoft_enterprise_peopletools

3

o

apple

macos

Vulnerable

a

siemens

sinec_infrastructure_network_services

Vulnerable

a

oracle

commerce_guided_search

11.3.2

Vulnerable

a

oracle

communications_cloud_native_core_console

22.2.0

Vulnerable

a

oracle

communications_cloud_native_core_security_edge_protection_proxy

22.1.1

Vulnerable

a

splunk

universal_forwarder

3

References

http://seclists.org/fulldisclosure/2022/Mar/29

Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

PatchThird Party Advisory

https://hackerone.com/reports/1334111

ExploitIssue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202212-01

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211029-0003/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220121-0008/

Third Party Advisory

https://support.apple.com/kb/HT213183

Release NotesThird Party Advisory

https://www.debian.org/security/2022/dsa-5197

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

PatchThird Party Advisory

http://seclists.org/fulldisclosure/2022/Mar/29

Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

PatchThird Party Advisory

https://hackerone.com/reports/1334111

ExploitIssue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202212-01

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211029-0003/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220121-0008/

Third Party Advisory

https://support.apple.com/kb/HT213183

Release NotesThird Party Advisory

https://www.debian.org/security/2022/dsa-5197

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

PatchThird Party Advisory

Weaknesses

[email protected]

Secondary
CWE-325

[email protected]

Primary
CWE-319

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 · High

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-09-29T18:15:08.187Z

4 years ago

Last modified

2024-11-21T04:50:59.587Z

1 year ago