Home > Vulnerability Database > CVE-2021-22946

Mend.io Vulnerability Database

CVE-2021-22946

Date: September 28, 2021

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server ("--ssl-reqd" on the command line or"CURLOPT_USE_SSL" set to "CURLUSESSL_CONTROL" or "CURLUSESSL_ALL" withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Severity Score

7.5

Related Resources (24)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-22946

Url: https://access.redhat.com/security/cve/CVE-2021-22946

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/

Url: https://security.netapp.com/advisory/ntap-20211029-0003/

Url: https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/

Url: http://seclists.org/fulldisclosure/2022/Mar/29

Url: https://security-tracker.debian.org/tracker/CVE-2021-22946

Url: https://security.alpinelinux.org/vuln/CVE-2021-22946

Url: https://www.oracle.com/security-alerts/cpujan2022.html

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-22946

Url: https://hackerone.com/reports/1334111

Url: https://security.netapp.com/advisory/ntap-20220121-0008/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/

Url: https://support.apple.com/kb/HT213183

Url: https://security.gentoo.org/glsa/202212-01

Url: https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Url: https://www.oracle.com/security-alerts/cpuapr2022.html

Url: https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html

Url: https://www.oracle.com/security-alerts/cpujul2022.html

Url: https://www.debian.org/security/2022/dsa-5197

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://www.mend.io/vulnerability-database/CVE-2021-22946

Severity Score

7.5

Weakness Type (CWE)

Cleartext Transmission of Sensitive Information

CWE-319

Missing Cryptographic Step

CWE-325

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-22946

Date: September 28, 2021

Severity Score

Related Resources (24)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?