Vulnerability CVE-2021-22947

Vulnerability Name:

CVE-2021-22947 (CCN-209453)

Assigned:

2021-09-15

Published:

2021-09-15

Updated:

2023-01-05

Summary:

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

7.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)
5.3 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-319

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-22947

Source: support@hackerone.com
Type: Mailing List, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Patch, Third Party Advisory
support@hackerone.com

Source: CCN
Type: Project curl Security Advisory, September 15th 2021
STARTTLS protocol injection via MITM

Source: XF
Type: UNKNOWN
curl-cve202122947-mitm(209453)

Source: support@hackerone.com
Type: Exploit, Issue Tracking, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Mailing List, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Mailing List, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Mailing List, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Mailing List, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Third Party Advisory
support@hackerone.com

Source: CCN
Type: Apple security document HT213183
About the security content of macOS Monterey 12.3

Source: support@hackerone.com
Type: Release Notes, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Third Party Advisory
support@hackerone.com

Source: CCN
Type: IBM Security Bulletin 6510176 (PowerSC)
Multiple vulnerabilities in Curl affect PowerSC

Source: CCN
Type: IBM Security Bulletin 6527796 (MQ)
IBM MQ is vulnerable to multiple issues with libcurl (CVE-2021-22946, CVE-2021-22947)

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6574489 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - curl (CVE-2021-22947)

Source: CCN
Type: IBM Security Bulletin 6596085 (QRadar SIEM)
IBM QRadar WinCollect is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6620211 (Spectrum Protect Plus)
Vulnerabilities in libcurl may affect IBM Spectrum Protect Plus (CVE-2021-22946, CVE-2022-27782, CVE-2022-27774, CVE-2022-22576, CVE-2021-22947, CVE-2022-27776)

Source: CCN
Type: IBM Security Bulletin 6620213 (Spectrum Copy Data Management)
Vulnerabilities in libcurl may affect IBM Spectrum Copy Data Management (CVE-2022-27782, CVE-2022-27774, CVE-2021-22947, CVE-2022-22576, CVE-2022-27776, CVE-2021-22946)

Source: CCN
Type: IBM Security Bulletin 6621463 (Spectrum Protect Plus)
Vulnerabilities in libcurl affect IBM Spectrum Protect Plus SQL, File Indexing, and Windows Host agents

Source: support@hackerone.com
Type: Patch, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Patch, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Patch, Third Party Advisory
support@hackerone.com

Source: support@hackerone.com
Type: Patch, Third Party Advisory
support@hackerone.com

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-22947

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:curl:libcurl:7.20.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:mq:9.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:mq:9.1.0:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

OR cpe:/a:ibm:mq:9.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7476	P	curl-8.0.1-150400.5.23.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:51969	P	Security update for vim (Important)	2022-11-29
oval:org.opensuse.security:def:784	P	Security update for dpdk (Important)	2022-09-27
oval:org.opensuse.security:def:3685	P	Security update for wavpack (Low)	2022-08-05
oval:org.opensuse.security:def:95398	P	Security update for squid (Important)	2022-07-12
oval:org.opensuse.security:def:3494	P	gd-2.1.0-24.12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94532	P	curl-7.79.1-150400.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2902	P	curl-7.79.1-150400.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94606	P	libXdmcp-devel-1.1.2-1.23 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:100055	P	(Important)	2022-03-29
oval:org.opensuse.security:def:6191	P	Security update for flac (Moderate)	2022-03-14
oval:org.opensuse.security:def:99744	P	(Important)	2022-02-04
oval:org.opensuse.security:def:112133	P	curl-7.79.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105669	P	Security update for python-Pygments (Important)	2021-12-01
oval:com.redhat.rhsa:def:20214059	P	RHSA-2021:4059: curl security update (Moderate)	2021-11-02
oval:org.opensuse.security:def:99151	P	(Moderate)	2021-10-20
oval:org.opensuse.security:def:111095	P	Security update for curl (Moderate)	2021-10-18
oval:org.opensuse.security:def:88519	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:125614	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:59550	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:89205	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:126781	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:33727	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:59808	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:23981	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:89463	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:127178	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:33985	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:88202	P	Security update for curl (Moderate)	2021-10-12
oval:org.opensuse.security:def:34557	P	Security update for curl (Moderate)	2021-10-11
oval:org.opensuse.security:def:5130	P	Security update for curl (Moderate)	2021-10-11
oval:org.opensuse.security:def:60380	P	Security update for curl (Moderate)	2021-10-11
oval:org.opensuse.security:def:26143	P	Security update for curl (Moderate)	2021-10-11
oval:org.opensuse.security:def:70299	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:42224	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:64583	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:99998	P	(Moderate)	2021-10-06
oval:org.opensuse.security:def:106036	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:10159	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:92396	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:69545	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:107985	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:99147	P	(Moderate)	2021-10-06
oval:org.opensuse.security:def:76007	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:9405	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:70486	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:64774	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:100334	P	(Moderate)	2021-10-06
oval:org.opensuse.security:def:106235	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:10346	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:8658	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:92595	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:69736	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:108777	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:99419	P	(Moderate)	2021-10-06
oval:org.opensuse.security:def:105646	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:76348	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:99346	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:9596	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:92006	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:66939	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:100663	P	(Moderate)	2021-10-06
oval:org.opensuse.security:def:106434	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:101319	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:73705	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:8845	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:92794	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:69935	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:42125	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:99682	P	(Moderate)	2021-10-06
oval:org.opensuse.security:def:105841	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:99545	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:9795	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:5850	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:92201	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:117499	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:67280	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:101515	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:106720	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:102111	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:111736	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:73896	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:98956	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:9040	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:38801	P	Security update for curl (Moderate)	2021-09-23
oval:org.opensuse.security:def:43231	P	Security update for curl (Moderate)	2021-09-23
oval:org.opensuse.security:def:40102	P	Security update for curl (Moderate)	2021-09-23
oval:org.opensuse.security:def:44532	P	Security update for curl (Moderate)	2021-09-23
oval:org.opensuse.security:def:37502	P	Security update for curl (Moderate)	2021-09-23
oval:org.opensuse.security:def:42787	P	Security update for curl (Moderate)	2021-09-23
oval:org.opensuse.security:def:33007	P	Security update for curl (Moderate)	2021-09-21
oval:org.opensuse.security:def:87471	P	Security update for curl (Moderate)	2021-09-21
oval:org.opensuse.security:def:58830	P	Security update for curl (Moderate)	2021-09-21

BACK