CVE-2021-22922

Summary

CVE	CVE-2021-22922
State	PUBLISHED
Assigner	hackerone
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-08-05 21:15:11 UTC
Updated	2026-04-16 15:16:43 UTC
Description	When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

Risk And Classification

Primary CVSS: v3.1 6.5 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Problem Types: CWE-840 | CWE-755 | CWE-840 Business Logic Errors (CWE-840)

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	6.5	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
3.1	ADP	DECLARED	6.5	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	6.5	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
2.0	[email protected]	Primary	4.3		`AV:N/AC:M/Au:N/C:N/I:P/A:N`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

AV:N/AC:M/Au:N/C:N/I:P/A:N

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	33	All	All	All
Application	Haxx	Curl	All	All	All	All
Application	Netapp	Cloud Backup	-	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Hardware	Netapp	H300e	-	All	All	All
Operating System	Netapp	H300e Firmware	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500e	-	All	All	All
Operating System	Netapp	H500e Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700e	-	All	All	All
Operating System	Netapp	H700e Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Application	Netapp	Hci Management Node	-	All	All	All
Application	Netapp	Solidfire	-	All	All	All
Application	Oracle	Mysql Server	All	All	All	All
Application	Oracle	Mysql Server	All	All	All	All
Application	Siemens	Sinec Infrastructure Network Services	All	All	All	All
Application	Splunk	Universal Forwarder	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	Https//github.com/curl/curl	affected curl 7.27.0 to and including 7.77.0	Not specified

References

Reference	Source	Link	Tags
Oracle Critical Patch Update Advisory - October 2021	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com	Patch, Third Party Advisory
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security	af854a3a-2127-422b-91ae-364da2661108	security.gentoo.org	Third Party Advisory
[SECURITY] Fedora 33 Update: curl-7.71.1-10.fc33 - package-announce - Fedora Mailing-Lists	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org	Mailing List, Third Party Advisory
lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f5...	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org	Mailing List, Third Party Advisory
HackerOne	af854a3a-2127-422b-91ae-364da2661108	hackerone.com	Exploit, Issue Tracking, Third Party Advisory
lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f5...	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org	Mailing List, Third Party Advisory
lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a9711...	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org	Mailing List, Third Party Advisory
August 2021 cURL/libcURL Vulnerabilities in NetApp Products \| NetApp Product Security	af854a3a-2127-422b-91ae-364da2661108	security.netapp.com	Third Party Advisory
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	af854a3a-2127-422b-91ae-364da2661108	cert-portal.siemens.com	Patch, Third Party Advisory
lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a9711...	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org	Mailing List, Third Party Advisory
[SECURITY] Fedora 33 Update: curl-7.71.1-10.fc33 - package-announce - Fedora Mailing-Lists	MITRE	lists.fedoraproject.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159396 Oracle Enterprise Linux Security Update for curl (ELSA-2021-3582)
182041 Debian Security Update for curl (CVE-2021-22922)
239648 Red Hat Update for curl (RHSA-2021:3582)
239692 Red Hat Update for curl (RHSA-2021:3903)
281737 Fedora Security Update for curl (FEDORA-2021-83fdddca0f)
281795 Fedora Security Update for curl (FEDORA-2021-5d21b90a30)
296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
352843 Amazon Linux Security Advisory for curl: ALAS2-2021-1700
377386 Alibaba Cloud Linux Security Update for curl (ALINUX3-SA-2021:0070)
378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
500136 Alpine Linux Security Update for curl
503787 Alpine Linux Security Update for curl
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
670824 EulerOS Security Update for curl (EulerOS-SA-2021-2707)
670976 EulerOS Security Update for curl (EulerOS-SA-2021-2627)
671008 EulerOS Security Update for curl (EulerOS-SA-2021-2682)
690083 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (aa646c01-ea0d-11eb-9b84-d4c9ef517024)
710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
750866 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2021:2425-1)
750872 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2021:2440-1)
750875 OpenSUSE Security Update for curl (openSUSE-SU-2021:2439-1)
750888 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2021:2462-1)
750891 OpenSUSE Security Update for curl (openSUSE-SU-2021:1088-1)
900298 CBL-Mariner Linux Security Update for curl 7.76.0
901834 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (6361-1)
903474 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (5209)
940284 AlmaLinux Security Update for curl (ALSA-2021:3582)
960794 Rocky Linux Security Update for curl (RLSA-2021:3582)