CVE-2021-22901
Summary
| CVE | CVE-2021-22901 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-06-11 16:15:00 UTC |
|---|
| Updated | 2024-03-27 15:12:00 UTC |
|---|
| Description | curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| July 2021 MySQL Vulnerabilities in NetApp Products | NetApp Product Security |
CONFIRM |
security.netapp.com |
|
| Oracle Critical Patch Update Advisory - April 2022 |
MISC |
www.oracle.com |
|
| June 2021 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security |
CONFIRM |
security.netapp.com |
|
| Oracle Critical Patch Update Advisory - July 2021 |
N/A |
www.oracle.com |
|
| curl - TLS session caching disaster - CVE-2021-22901 |
MISC |
curl.se |
|
| Oracle Critical Patch Update Advisory - January 2022 |
MISC |
www.oracle.com |
|
| openssl: associate/detach the transfer from connection · curl/curl@7f4a9a9 · GitHub |
MISC |
github.com |
|
| HackerOne |
MISC |
hackerone.com |
|
| cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf |
CONFIRM |
cert-portal.siemens.com |
|
| cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf |
CONFIRM |
cert-portal.siemens.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 20225 Oracle MySQL July 2021 Critical Patch Update (CPU July 2021)
- 239451 Red Hat Update for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 (RHSA-2021:2472)
- 281101 Fedora Security Update for curl (FEDORA-2021-eb5b7c53a9)
- 296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
- 376367 Oracle Essbase Administration Services Security Update (CPUJAN2022)
- 376550 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUAPR2022)
- 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
- 378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
- 500135 Alpine Linux Security Update for curl
- 503786 Alpine Linux Security Update for curl
- 590938 Siemens Industrial Devices Multiple Vulnerabilities (SSA-732250)
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 690068 Free Berkeley Software Distribution (FreeBSD) Security Update for mysql (38a4a043-e937-11eb-9b84-d4c9ef517024)
- 710078 Gentoo Linux cURL Multiple vulnerabilities (GLSA 202105-36)
- 730155 McAfee Web Gateway Multiple Vulnerabilities(WP-3580, WP-3656, WP-3815, WP-3878, WP-3882, WP-3934,WP-3935, WP-3936, WP-3999)
- 900067 CBL-Mariner Linux Security Update for curl 7.76.0
- 901903 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (6360-1)
- 903125 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (4370)
- 91779 Cygwin Curl Package Multiple Security Vulnerabilities
