CVE-2021-22923

NameCVE-2021-22923
DescriptionWhen curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)jessie, jessie (lts)7.38.0-4+deb8u28vulnerable
stretch (security)7.52.1-5+deb9u16vulnerable
stretch (lts), stretch7.52.1-5+deb9u22vulnerable
buster, buster (lts)7.64.0-4+deb10u10vulnerable
buster (security)7.64.0-4+deb10u9vulnerable
bullseye7.74.0-1.3+deb11u13vulnerable
bullseye (security)7.74.0-1.3+deb11u14vulnerable
bookworm7.88.1-10+deb12u8fixed
bookworm (security)7.88.1-10+deb12u5fixed
sid, trixie8.11.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsource(unstable)7.79.1-1unimportant

Notes

https://curl.se/docs/CVE-2021-22923.html
https://www.openwall.com/lists/oss-security/2021/07/21/2
The fix for earlier versions is to rebuild curl with the metalink support
switched off.
Metalink support not enabled in Debian builds.

Search for package or bug name: Reporting problems