ID

VAR-202104-0328


CVE

CVE-2021-22890


TITLE

curl  Spoofing Authentication Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-002808

DESCRIPTION

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. curl Contains a spoofing authentication evasion vulnerability.Information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: cURL: Multiple vulnerabilities Date: May 26, 2021 Bugs: #779535, #792192 ID: 202105-36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in cURL, the worst of which could result in the arbitrary execution of code. Background ========== A command line tool and library for transferring data with URLs. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/curl < 7.77.0 >= 7.77.0 Description =========== Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All cURL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-7.77.0" References ========== [ 1 ] CVE-2021-22876 https://nvd.nist.gov/vuln/detail/CVE-2021-22876 [ 2 ] CVE-2021-22890 https://nvd.nist.gov/vuln/detail/CVE-2021-22890 [ 3 ] CVE-2021-22898 https://nvd.nist.gov/vuln/detail/CVE-2021-22898 [ 4 ] CVE-2021-22901 https://nvd.nist.gov/vuln/detail/CVE-2021-22901 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-36 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update Advisory ID: RHSA-2021:2471-01 Product: Red Hat JBoss Core Services Advisory URL: https://access.redhat.com/errata/RHSA-2021:2471 Issue date: 2021-06-17 CVE Names: CVE-2020-8169 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890 CVE-2021-22901 CVE-2021-31618 ===================================================================== 1. Summary: Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 8 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release. Security Fix(es): * curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901) * httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618) * libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169) * curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284) * curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285) * curl: Inferior OCSP verification (CVE-2020-8286) * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876) * curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1847916 - CVE-2020-8169 libcurl: partial password leak over DNS on HTTP redirect 1902667 - CVE-2020-8284 curl: FTP PASV command response can cause curl to connect to arbitrary host 1902687 - CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used 1906096 - CVE-2020-8286 curl: Inferior OCSP verification 1941964 - CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer 1941965 - CVE-2021-22890 curl: TLS 1.3 session ticket mix-up with HTTPS proxy host 1963146 - CVE-2021-22901 curl: Use-after-free in TLS session handling when using OpenSSL TLS backend 1968013 - CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request 5. References: https://access.redhat.com/security/cve/CVE-2020-8169 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/cve/CVE-2021-22876 https://access.redhat.com/security/cve/CVE-2021-22890 https://access.redhat.com/security/cve/CVE-2021-22901 https://access.redhat.com/security/cve/CVE-2021-31618 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=securityPatches&version=2.4.37 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.openssl&downloadType=securityPatches&version=1.1.1g https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.37/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMszstzjgjWX9erEAQgW2Q//cZOMa4KOvz7KejR03sHk7m8aMHDRdPDe Ki6PTe99phprmuXNPOCPGFuWDXbdpAlyEx3Elt3Ah+vmpV+K7ThwXGXJkGwb6mol 2xAFvcwxxO6GNsCl8gYW+JTG+5HYLZ/U4q3lgHId9qfzmuRRg0zwOuwZC7y7R6kP 3H1o1WRiIKEA1oHCh3f3OizTrkOcBZsWINsJ2ggW+ZqVeve4PJH55F3JwCJbIuhd kUhe1QQjiANWq4m/+QkTRtIYzahqK+lIubpoU5P+sFosc7ASUGe29ZPC9LsfY4hx 61bSxXbxTv2wcBaUrg/TAxRplQdHRbZe8s8eWhMtDoNHRqujYOiKHUnBgdoY6oLd 3gfAGI3w2NnWRDodGDGXfuDu6hncAukvxqOO/tOnRd2n7/R52ewGCsNKvsf/OHRG 1X7UeD4DJvXiqBNOtPaqOjR3q7xdO5MhYtkvh/8mzvhx5X/CojUWRWmtSdJDhpvQ POl+hJjFqEFTUJk/VGDJ7HsIs5OqeoV0pURP3VvYyBF75xp3aYI8Gfb1wLoqXmp2 iFhSTskqEc42iMvG/Ks5Rb1wQLrJ4RNgxunGofmNQusjgN406aAqvE79a6JUmt/z 7Z6i8Tvy9PGgNtbnalyxbikpA8Qcoxoij2pbIcSNIJXW+mA74QtI3AC4+4m0V90H butyhmDY1nQ= =gsJD -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. Applications using the APR libraries, such as httpd, must be restarted for this update to take effect. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. ========================================================================== Ubuntu Security Notice USN-4898-1 March 31, 2021 curl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: curl could be made to expose sensitive information over the network. A remote attacker could possibly use this issue to obtain sensitive information. A remote attacker in control of an HTTPS proxy could use this issue to bypass certificate checks and intercept communications. This issue only affected Ubuntu 20.04 LTS and Ubuntu 20.10. (CVE-2021-22890) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: curl 7.68.0-1ubuntu4.3 libcurl3-gnutls 7.68.0-1ubuntu4.3 libcurl3-nss 7.68.0-1ubuntu4.3 libcurl4 7.68.0-1ubuntu4.3 Ubuntu 20.04 LTS: curl 7.68.0-1ubuntu2.5 libcurl3-gnutls 7.68.0-1ubuntu2.5 libcurl3-nss 7.68.0-1ubuntu2.5 libcurl4 7.68.0-1ubuntu2.5 Ubuntu 18.04 LTS: curl 7.58.0-2ubuntu3.13 libcurl3-gnutls 7.58.0-2ubuntu3.13 libcurl3-nss 7.58.0-2ubuntu3.13 libcurl4 7.58.0-2ubuntu3.13 Ubuntu 16.04 LTS: curl 7.47.0-1ubuntu2.19 libcurl3 7.47.0-1ubuntu2.19 libcurl3-gnutls 7.47.0-1ubuntu2.19 libcurl3-nss 7.47.0-1ubuntu2.19 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4881-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini March 30, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2020-8169 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890 Debian Bug : 965280 965281 968831 977161 977162 977163 Multiple vulnerabilities were discovered in cURL, an URL transfer library: CVE-2020-8169 Marek Szlagor reported that libcurl could be tricked into prepending a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s). CVE-2020-8177 sn reported that curl could be tricked by a malicious server into overwriting a local file when using th -J (--remote-header-name) and -i (--include) options in the same command line. CVE-2020-8231 Marc Aldorasi reported that libcurl might use the wrong connection when an application using libcurl's multi API sets the option CURLOPT_CONNECT_ONLY, which could lead to information leaks. CVE-2020-8284 Varnavas Papaioannou reported that a malicious server could use the PASV response to trick curl into connecting back to an arbitrary IP address and port, potentially making curl extract information about services that are otherwise private and not disclosed. CVE-2020-8285 xnynx reported that libcurl could run out of stack space when using tha FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION). CVE-2020-8286 It was reported that libcurl didn't verify that an OCSP response actually matches the certificate it is intended to. CVE-2021-22876 Viktor Szakats reported that libcurl does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. For the stable distribution (buster), these problems have been fixed in version 7.64.0-4+deb10u2. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAmBkQCoACgkQbwzL4CFi Ryg6Gg/+LqhhJ8+D7skevVkYzxHzdH2yT/XMeoYp0D37yHmEfH9PyjXwfplG+XEw /xwFRBK8qxD1ja+rQddYyeTvi1OMnMgMS3UsRHlfeMnLxh2+oHnvHDYG848npUEZ Rq4YFoc/n9YTAJZP/G4oiuBeXqH2Sqa5hSNT6VrYfRciCxkYnzA78b85KpI8aYyR lhfiJMNpwrqDbt/QzblpELBkGMIV402VeiqDwHfcVzm2E810xXQNLvPMbWtvDYkA TSrNsdqfuFr1tuQSZY6CGSWEyXtB/tOo8+pvUixlJMBWJMl5TXEcJkD5ckehx0yb C3n9yapfklxHiG9lD4zwwIJDqd3Y4SxdDiSlUC4OhdvpwniMygX0S3ICaPA4iac/ cWanml0Fop3OmRy+vQURTd3sADoT5HoRSUXZVU+HdTrRaEt2xs5okZkWSd3yr4Ux i+HgjUAFkkk8DLRB68Bbpx1LGxFGQT7L8yd4wsWINXlzASIP1A5dnNfE5w0VWOHG 3KDq47wNfjuiZC8GXW+HQCxz5MijnS8Y/Egl0OozNFDwEitNBZEsIjpZaZBdZIwi UFfcK7+u/y/TRY54rA4erkdcHFwpYW5EZVGdb7Z+WPWVlzw0ImXrM68LSAhHQaqW 1Hx4VwwwTsMIPnrx2kriRiiDPOW1r5Kip3yHa+QZLedSRGibQWk= =001T -----END PGP SIGNATURE-----

Trust: 2.7

sources: NVD: CVE-2021-22890 // JVNDB: JVNDB-2021-002808 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-22890 // PACKETSTORM: 162817 // PACKETSTORM: 163193 // PACKETSTORM: 163197 // PACKETSTORM: 162037 // PACKETSTORM: 169015

AFFECTED PRODUCTS

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:gteversion:8.2.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:34

Trust: 1.0

vendor:oraclemodel:essbasescope:eqversion:21.2

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:ltversion:8.2.12

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:eqversion:9.1.0

Trust: 1.0

vendor:haxxmodel:libcurlscope:lteversion:7.75.0

Trust: 1.0

vendor:netappmodel:hci management nodescope:eqversion: -

Trust: 1.0

vendor:haxxmodel:libcurlscope:gteversion:7.63.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:ltversion:9.0.6

Trust: 1.0

vendor:netappmodel:solidfirescope:eqversion: -

Trust: 1.0

vendor:siemensmodel:sinec infrastructure network servicesscope:ltversion:1.0.1.1

Trust: 1.0

vendor:broadcommodel:fabric operating systemscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:communications billing and revenue managementscope:eqversion:12.0.0.3.0

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:gteversion:9.0.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:netappmodel:hci storage nodescope:eqversion: -

Trust: 1.0

vendor:日立model:jp1/automatic job management system 3scope:eqversion:- agent

Trust: 0.8

vendor:broadcommodel:fabric operating systemscope: - version: -

Trust: 0.8

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

vendor:日立model:jp1/automatic job management system 3scope:eqversion:- agent minimal edition

Trust: 0.8

vendor:日立model:jp1/automatic job management system 3scope:eqversion:- manager

Trust: 0.8

vendor:netappmodel:hci management nodescope: - version: -

Trust: 0.8

vendor:haxxmodel:libcurlscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:netappmodel:solidfirescope: - version: -

Trust: 0.8

vendor:netappmodel:hci storage nodescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-002808 // NVD: CVE-2021-22890

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-22890
value: LOW

Trust: 1.0

NVD: CVE-2021-22890
value: LOW

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202103-1709
value: LOW

Trust: 0.6

VULMON: CVE-2021-22890
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-22890
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2021-22890
baseSeverity: LOW
baseScore: 3.7
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2021-22890
baseSeverity: LOW
baseScore: 3.7
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2021-22890 // JVNDB: JVNDB-2021-002808 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202103-1709 // NVD: CVE-2021-22890

PROBLEMTYPE DATA

problemtype:CWE-300

Trust: 1.0

problemtype:CWE-290

Trust: 1.0

problemtype:Avoid authentication by spoofing (CWE-290) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-002808 // NVD: CVE-2021-22890

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 162037 // CNNVD: CNNVD-202103-1709

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202103-1709

PATCH

title:hitachi-sec-2021-132url:https://www.broadcom.com/

Trust: 0.8

title:HAXX libcurl Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=145993

Trust: 0.6

title:Debian CVElist Bug Report Logs: curl: CVE-2021-22890url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=070f9241d84352ce262145cf1828f6f7

Trust: 0.1

title:Red Hat: CVE-2021-22890url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2021-22890

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2021-22890 log

Trust: 0.1

title:Hitachi Security Advisories: Vulnerability in JP1/Automatic Job Management System 3url:https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories&qid=hitachi-sec-2021-132

Trust: 0.1

title:Debian Security Advisories: DSA-4881-1 curl -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=a9706a30f62799ecc4d45bdb53c244eb

Trust: 0.1

title:Brocade Security Advisories: Access Deniedurl:https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories&qid=b1e904198be8e0726ebde78ffc5fac9a

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=4a9822530e6b610875f83ffc10e02aba

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d

Trust: 0.1

title:clair-clienturl:https://github.com/indece-official/clair-client

Trust: 0.1

sources: VULMON: CVE-2021-22890 // JVNDB: JVNDB-2021-002808 // CNNVD: CNNVD-202103-1709

EXTERNAL IDS

db:NVDid:CVE-2021-22890

Trust: 3.0

db:HACKERONEid:1129529

Trust: 1.7

db:SIEMENSid:SSA-389290

Trust: 1.7

db:JVNDBid:JVNDB-2021-002808

Trust: 0.8

db:PACKETSTORMid:162817

Trust: 0.7

db:PACKETSTORMid:163193

Trust: 0.7

db:PACKETSTORMid:162037

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.1129

Trust: 0.6

db:AUSCERTid:ESB-2021.2168

Trust: 0.6

db:AUSCERTid:ESB-2021.1114

Trust: 0.6

db:AUSCERTid:ESB-2023.3146

Trust: 0.6

db:AUSCERTid:ESB-2021.1118

Trust: 0.6

db:CS-HELPid:SB2021052711

Trust: 0.6

db:CS-HELPid:SB2021062142

Trust: 0.6

db:CS-HELPid:SB2022031104

Trust: 0.6

db:CNNVDid:CNNVD-202103-1709

Trust: 0.6

db:ICS CERTid:ICSA-22-069-09

Trust: 0.1

db:VULMONid:CVE-2021-22890

Trust: 0.1

db:PACKETSTORMid:163197

Trust: 0.1

db:PACKETSTORMid:169015

Trust: 0.1

sources: VULMON: CVE-2021-22890 // JVNDB: JVNDB-2021-002808 // PACKETSTORM: 162817 // PACKETSTORM: 163193 // PACKETSTORM: 163197 // PACKETSTORM: 162037 // PACKETSTORM: 169015 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202103-1709 // NVD: CVE-2021-22890

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2021-22890

Trust: 1.9

url:https://security.gentoo.org/glsa/202105-36

Trust: 1.8

url:https://hackerone.com/reports/1129529

Trust: 1.7

url:https://curl.se/docs/cve-2021-22890.html

Trust: 1.7

url:https://security.netapp.com/advisory/ntap-20210521-0007/

Trust: 1.7

url:https://www.oracle.com//security-alerts/cpujul2021.html

Trust: 1.7

url:https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Trust: 1.7

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/itvwpvglfisu5bjc2bxbrysdxtxe2ygc/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/kquioyx2kuu6fiuzvb5wwz6jhssysqwj/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2zc5bmioklbqjsfchedn2g2c2sh274bp/

Trust: 1.1

url:https://access.redhat.com/security/cve/cve-2021-22890

Trust: 0.9

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2zc5bmioklbqjsfchedn2g2c2sh274bp/

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/itvwpvglfisu5bjc2bxbrysdxtxe2ygc/

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/kquioyx2kuu6fiuzvb5wwz6jhssysqwj/

Trust: 0.6

url:https://packetstormsecurity.com/files/162037/ubuntu-security-notice-usn-4898-1.html

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/

Trust: 0.6

url:https://packetstormsecurity.com/files/163193/red-hat-security-advisory-2021-2471-01.html

Trust: 0.6

url:https://packetstormsecurity.com/files/162817/gentoo-linux-security-advisory-202105-36.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021052711

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1118

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1129

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3146

Trust: 0.6

url:https://vigilance.fr/vulnerability/libcurl-man-in-the-middle-via-tls-1-3-session-ticket-proxy-host-mixup-34978

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1114

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-affect-powersc-cve-2021-22876-and-cve-2021-22890/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2168

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021062142

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022031104

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-22876

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2021-22901

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-8284

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-8285

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-8286

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-8169

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2021-22901

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-8286

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-8285

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-22876

Trust: 0.2

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-31618

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-31618

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-8284

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-8169

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/290.html

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986270

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-069-09

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22898

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp&downloadtype=securitypatches&version=2.4.37

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.openssl&downloadtype=securitypatches&version=1.1.1g

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.37/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:2471

Trust: 0.1

url:https://access.redhat.com/articles/11258

Trust: 0.1

url:https://access.redhat.com/security/team/key/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:2472

Trust: 0.1

url:https://ubuntu.com/security/notices/usn-4898-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu4.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.5

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.19

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.13

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-8231

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://security-tracker.debian.org/tracker/curl

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-8177

Trust: 0.1

sources: VULMON: CVE-2021-22890 // JVNDB: JVNDB-2021-002808 // PACKETSTORM: 162817 // PACKETSTORM: 163193 // PACKETSTORM: 163197 // PACKETSTORM: 162037 // PACKETSTORM: 169015 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202103-1709 // NVD: CVE-2021-22890

CREDITS

Ubuntu

Trust: 0.7

sources: PACKETSTORM: 162037 // CNNVD: CNNVD-202103-1709

SOURCES

db:VULMONid:CVE-2021-22890
db:JVNDBid:JVNDB-2021-002808
db:PACKETSTORMid:162817
db:PACKETSTORMid:163193
db:PACKETSTORMid:163197
db:PACKETSTORMid:162037
db:PACKETSTORMid:169015
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202103-1709
db:NVDid:CVE-2021-22890

LAST UPDATE DATE

2024-11-23T20:28:36.378000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2021-22890date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2021-002808date:2021-10-05T05:56:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202103-1709date:2023-06-05T00:00:00
db:NVDid:CVE-2021-22890date:2024-11-21T05:50:51.007

SOURCES RELEASE DATE

db:VULMONid:CVE-2021-22890date:2021-04-01T00:00:00
db:JVNDBid:JVNDB-2021-002808date:2021-10-05T00:00:00
db:PACKETSTORMid:162817date:2021-05-26T17:36:11
db:PACKETSTORMid:163193date:2021-06-17T18:01:23
db:PACKETSTORMid:163197date:2021-06-17T18:09:26
db:PACKETSTORMid:162037date:2021-03-31T14:30:52
db:PACKETSTORMid:169015date:2021-03-28T19:12:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202103-1709date:2021-03-31T00:00:00
db:NVDid:CVE-2021-22890date:2021-04-01T18:15:12.917