CVE-2021-22923

Publication date 21 July 2021

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.3 · Medium

Score breakdown

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

Read the notes from the security team

Status

Package Ubuntu Release Status
curl 22.04 LTS jammy
Not affected
21.10 impish
Not affected
21.04 hirsute
Not affected
20.10 groovy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes


mdeslaur

introduced in 7.27.0 per upstream "curl has completely removed the metalink feature as of 7.78.0. No fix for this flaw will be produced by the curl project. The fix for earlier versions is to rebuild curl with the metalink support switched off!" Ubuntu builds curl with metalink support switched off already.

Severity score breakdown

Parameter Value
Base score 5.3 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N