CVE-2021-22923 — MEDIUM (5.3)

Q: How severe is CVE-2021-22923?

CVE-2021-22923 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-22923?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Netapp Cloud Backup, Netapp Clustered Data Ontap, Netapp Hci Management Node.

Vulnerability Description

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Curl	>= 7.27.0, < 7.78.0
Fedoraproject	Fedora	33
Netapp	Cloud Backup	-
Netapp	Clustered Data Ontap	-
Netapp	Hci Management Node	-
Netapp	Solidfire	-
Oracle	Mysql Server	>= 5.7.0, <= 5.7.35
Siemens	Sinec Infrastructure Network Services	< 1.0.1.1
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	H300E Firmware	-
Netapp	H300E	-
Netapp	H500E Firmware	-
Netapp	H500E	-
Netapp	H700E Firmware	-
Netapp	H700E	-

Related Weaknesses (CWE)

CWE-522 CWE-319

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://hackerone.com/reports/1213181ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202212-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20210902-0003/Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://hackerone.com/reports/1213181ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202212-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20210902-0003/Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-22923?

CVE-2021-22923 is a vulnerability with a CVSS score of 5.3 (MEDIUM). When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to ea...

How severe is CVE-2021-22923?

CVE-2021-22923 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-22923?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Netapp Cloud Backup, Netapp Clustered Data Ontap, Netapp Hci Management Node.