Movatterモバイル変換

[0]ホーム
URL:

Docs Overview
Project
Bug BountyBug ReportCode of conductDependenciesDonateFAQFeaturesGovernanceHistoryInstallKnown BugsLogoTODOwebsite Info
Protocols
CA ExtractHTTP cookiesHTTP/3MQTTSSL certsSSL libs comparedURL syntaxWebSocket
Releases
Changelogcurl CVEsRelease TableVersion NumberingVulnerabilities
Tool
Comparison Tablecurl man pageHTTP Scriptingmk-ca-bundleTutorialWhen options were added
Who and Why
CompaniesCopyrightSponsorsThanksThe name
curl /Docs /curl CVEs /Protocol downgrade required TLS bypassed
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 1000 USD

CVE-2021-22946

Protocol downgraderequired TLS bypassed

Project curl Security Advisory, September 15th 2021 -Permalink

VULNERABILITY

A user can tell curl torequire a successful upgradeto TLS when speaking to an IMAP, POP3 or FTP server(--ssl-reqd on the command line orCURLOPT_USE_SSL set toCURLUSESSL_CONTROL orCURLUSESSL_ALL with libcurl). This requirement could bebypassed if the server would return a properly crafted but perfectlylegitimate response.

This flaw would then make curl silently continue its operationswithout TLS contrary to the instructions andexpectations, exposing possibly sensitive data in clear text over thenetwork.

INFO

SMTP also features a similar TLS upgrade method, but that code incurl does not suffer from this bug.

The Common Vulnerabilities and Exposures (CVE) project has assignedthe name CVE-2021-22946 to this issue.

CWE-325: Missing Cryptographic Step

Severity: Medium

AFFECTED VERSIONS

Also note that libcurl is used by many applications, and not alwaysadvertised as such.

SOLUTION

RECOMMENDATIONS

A - Upgrade curl to version7.79.0

B - Apply the patch to your local version

C - Do not use IMAP, POP3 or FTP

TIMELINE

This issue was reported to the curl project on September 8, 2021.

This advisory was posted on September 15, 2021.

CREDITS

Thanks a lot!

[8]ページ先頭
©2009-2025 Movatter.jp