CVE-2021-22924
Summary
| CVE | CVE-2021-22924 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-08-05 21:15:00 UTC |
| Updated | 2024-03-27 15:11:00 UTC |
| Description | libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. |
Risk And Classification
Problem Types: CWE-706
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Application | Haxx | Libcurl | All | All | All | All |
| Application | Netapp | Cloud Backup | - | All | All | All |
| Application | Netapp | Clustered Data Ontap | - | All | All | All |
| Operating System | Netapp | Solidfire Baseboard Management Controller Firmware | - | All | All | All |
| Application | Netapp | Solidfire Hci Management Node | - | All | All | All |
| Application | Oracle | Mysql Server | All | All | All | All |
| Application | Oracle | Mysql Server | All | All | All | All |
| Application | Oracle | Mysql Server | All | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.57 | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.58 | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.59 | All | All | All |
| Hardware | Siemens | Logo! Cmr2020 | - | All | All | All |
| Operating System | Siemens | Logo! Cmr2020 Firmware | All | All | All | All |
| Hardware | Siemens | Logo! Cmr2040 | - | All | All | All |
| Operating System | Siemens | Logo! Cmr2040 Firmware | All | All | All | All |
| Hardware | Siemens | Ruggedcomrm 1224 Lte | - | All | All | All |
| Operating System | Siemens | Ruggedcomrm 1224 Lte Firmware | All | All | All | All |
| Hardware | Siemens | Scalance M804pb | - | All | All | All |
| Operating System | Siemens | Scalance M804pb Firmware | All | All | All | All |
| Hardware | Siemens | Scalance M812-1 | - | All | All | All |
| Operating System | Siemens | Scalance M812-1 Firmware | All | All | All | All |
| Hardware | Siemens | Scalance M816-1 | - | All | All | All |
| Operating System | Siemens | Scalance M816-1 Firmware | All | All | All | All |
| Hardware | Siemens | Scalance M826-2 | - | All | All | All |
| Operating System | Siemens | Scalance M826-2 Firmware | All | All | All | All |
| Hardware | Siemens | Scalance M874-2 | - | All | All | All |
| Operating System | Siemens | Scalance M874-2 Firmware | All | All | All | All |
| Hardware | Siemens | Scalance M874-3 | - | All | All | All |
| Operating System | Siemens | Scalance M874-3 Firmware | All | All | All | All |
| Hardware | Siemens | Scalance M876-3 | - | All | All | All |
| Operating System | Siemens | Scalance M876-3 Firmware | All | All | All | All |
| Hardware | Siemens | Scalance M876-4 | - | All | All | All |
| Operating System | Siemens | Scalance M876-4 Firmware | All | All | All | All |
| Hardware | Siemens | Scalance Mum856-1 | - | All | All | All |
| Operating System | Siemens | Scalance Mum856-1 Firmware | All | All | All | All |
| Hardware | Siemens | Scalance S615 | - | All | All | All |
| Operating System | Siemens | Scalance S615 Firmware | All | All | All | All |
| Hardware | Siemens | Simatic Cp 1543-1 | - | All | All | All |
| Operating System | Siemens | Simatic Cp 1543-1 Firmware | All | All | All | All |
| Hardware | Siemens | Simatic Cp 1545-1 | - | All | All | All |
| Operating System | Siemens | Simatic Cp 1545-1 Firmware | All | All | All | All |
| Hardware | Siemens | Simatic Rtu3010c | - | All | All | All |
| Operating System | Siemens | Simatic Rtu3010c Firmware | All | All | All | All |
| Hardware | Siemens | Simatic Rtu3030c | - | All | All | All |
| Operating System | Siemens | Simatic Rtu3030c Firmware | All | All | All | All |
| Hardware | Siemens | Simatic Rtu3031c | - | All | All | All |
| Operating System | Siemens | Simatic Rtu3031c Firmware | All | All | All | All |
| Hardware | Siemens | Simatic Rtu 3041c | - | All | All | All |
| Operating System | Siemens | Simatic Rtu 3041c Firmware | All | All | All | All |
| Application | Siemens | Sinec Infrastructure Network Services | All | All | All | All |
| Application | Siemens | Sinema Remote Connect | All | All | All | All |
| Application | Siemens | Sinema Remote Connect Server | All | All | All | All |
| Hardware | Siemens | Siplus Net Cp 1543-1 | - | All | All | All |
| Operating System | Siemens | Siplus Net Cp 1543-1 Firmware | All | All | All | All |
| Application | Splunk | Universal Forwarder | All | All | All | All |
| Application | Splunk | Universal Forwarder | 9.1.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| August 2021 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| HackerOne | MISC | hackerone.com | |
| [SECURITY] [DLA 2734-1] curl security update | MLIST | lists.debian.org | |
| cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | CONFIRM | cert-portal.siemens.com | |
| Debian -- Security Information -- DSA-5197-1 curl | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 33 Update: curl-7.71.1-10.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image | lists.apache.org | ||
| [SECURITY] Fedora 33 Update: curl-7.71.1-10.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] [DLA 3085-1] curl security update | MLIST | lists.debian.org | |
| cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf | CONFIRM | cert-portal.siemens.com | |
| cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf | CONFIRM | cert-portal.siemens.com | |
| [kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159396 Oracle Enterprise Linux Security Update for curl (ELSA-2021-3582)
- 178759 Debian Security Update for curl (DLA 2734-1)
- 180909 Debian Security Update for curl (DSA 5197-1)
- 180969 Debian Security Update for curl (DLA 3085-1)
- 183343 Debian Security Update for curl (CVE-2021-22924)
- 198441 Ubuntu Security Notification for curl vulnerabilities (USN-5021-1)
- 239648 Red Hat Update for curl (RHSA-2021:3582)
- 240217 Red Hat Update for rh-dotnet31-curl (RHSA-2022:1354)
- 281737 Fedora Security Update for curl (FEDORA-2021-83fdddca0f)
- 281795 Fedora Security Update for curl (FEDORA-2021-5d21b90a30)
- 296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
- 352810 Amazon Linux Security Advisory for curl: ALAS-2021-1525
- 352843 Amazon Linux Security Advisory for curl: ALAS2-2021-1700
- 353095 Amazon Linux Security Advisory for curl : AL2012-2021-356
- 376257 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)
- 377386 Alibaba Cloud Linux Security Update for curl (ALINUX3-SA-2021:0070)
- 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
- 378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
- 500136 Alpine Linux Security Update for curl
- 503787 Alpine Linux Security Update for curl
- 590938 Siemens Industrial Devices Multiple Vulnerabilities (SSA-732250)
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 670699 EulerOS Security Update for curl (EulerOS-SA-2021-2457)
- 670824 EulerOS Security Update for curl (EulerOS-SA-2021-2707)
- 671008 EulerOS Security Update for curl (EulerOS-SA-2021-2682)
- 690083 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (aa646c01-ea0d-11eb-9b84-d4c9ef517024)
- 750866 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2021:2425-1)
- 750872 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2021:2440-1)
- 750875 OpenSUSE Security Update for curl (openSUSE-SU-2021:2439-1)
- 750888 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2021:2462-1)
- 750891 OpenSUSE Security Update for curl (openSUSE-SU-2021:1088-1)
- 900298 CBL-Mariner Linux Security Update for curl 7.76.0
- 901199 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (6367-1)
- 903709 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (5212)
- 940284 AlmaLinux Security Update for curl (ALSA-2021:3582)
- 960794 Rocky Linux Security Update for curl (RLSA-2021:3582)