When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
References
Link | Resource |
---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | Patch Third Party Advisory |
https://hackerone.com/reports/1213181 | Exploit Issue Tracking Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202212-01 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20210902-0003/ | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
Configuration 13 (hide)
|
History
27 Mar 2024, 15:11
Type | Values Removed | Values Added |
---|---|---|
First Time |
Splunk universal Forwarder
Splunk |
|
CPE | cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* |
|
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ - Mailing List, Third Party Advisory |
30 Jun 2023, 17:47
Type | Values Removed | Values Added |
---|---|---|
References | (GENTOO) https://security.gentoo.org/glsa/202212-01 - Third Party Advisory | |
CWE | CWE-319 |
19 Dec 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Apr 2022, 14:26
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:* cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* |
|
References | (MISC) https://hackerone.com/reports/1213181 - Exploit, Issue Tracking, Third Party Advisory | |
References | (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory |
10 Mar 2022, 17:41
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Dec 2021, 17:07
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
20 Oct 2021, 11:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Sep 2021, 19:09
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:* |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20210902-0003/ - Third Party Advisory |
02 Sep 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Aug 2021, 14:39
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | (MISC) https://hackerone.com/reports/1213181 - Exploit, Third Party Advisory | |
CWE | CWE-522 | |
CVSS |
v2 : v3 : |
v2 : 2.6
v3 : 5.3 |
CPE | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
05 Aug 2021, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-08-05 21:15
Updated : 2024-03-27 15:11
NVD link : CVE-2021-22923
Mitre link : CVE-2021-22923
CVE.ORG link : CVE-2021-22923
JSON object : View
Products Affected
netapp
- h300s_firmware
- h500e
- h300s
- h300e
- h700e_firmware
- h700e
- h410s
- h500s
- h500s_firmware
- h300e_firmware
- solidfire
- clustered_data_ontap
- h700s_firmware
- hci_management_node
- h700s
- h410s_firmware
- cloud_backup
- h500e_firmware
haxx
- curl
oracle
- mysql_server
splunk
- universal_forwarder
siemens
- sinec_infrastructure_network_services
fedoraproject
- fedora