CVE-2021-22947

medium Splunk
CVSS v3 Base Score
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.3%
Exploitation probability in 30 days
Top 51% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
High
Availability
None
Published: September 29, 2021 (1688 days ago)
Last Modified: April 16, 2026
Vendor: Splunk
Source: NVD

Description

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

CWE

CWE-310

Affected Products

haxx curlfedoraproject fedoradebian debian linuxnetapp cloud backupnetapp clustered data ontapnetapp h300s firmwarenetapp h500s firmwarenetapp h700s firmwarenetapp h300e firmwarenetapp h500e firmware

References

🔗 seclists.org 🔗 cert-portal.siemens.com 🔗 hackerone.com 🔗 lists.debian.org 🔗 lists.debian.org