Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-22898

UNKNOWN
Published 2021-06-11T15:49:37
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-22898. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-7w8r-q58w-5wcr

Advisory Details

curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-22898
WEB https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde
WEB https://hackerone.com/reports/1176461
WEB https://www.oracle.com/security-alerts/cpujan2022.html
WEB https://www.oracle.com/security-alerts/cpuapr2022.html
WEB https://www.oracle.com//security-alerts/cpujul2021.html
WEB https://www.debian.org/security/2022/dsa-5197
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V
WEB https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
WEB https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html
WEB https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E
WEB https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E
WEB https://curl.se/docs/CVE-2021-22898.html
WEB https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
WEB http://www.openwall.com/lists/oss-security/2021/07/21/4

Advisory provided by GitHub Security Advisory Database. Published: May 24, 2022, Modified: March 27, 2024

References

https://hackerone.com/reports/1176461
https://curl.se/docs/CVE-2021-22898.html
https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde
https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E
https://www.oracle.com//security-alerts/cpujul2021.html
http://www.openwall.com/lists/oss-security/2021/07/21/4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/
https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://www.debian.org/security/2022/dsa-5197
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html

HackerOne Reports

CVE-2021-22925: TELNET stack contents disclosure again Low
thoger
curl
Information Disclosure
View Report
Published: 2021-06-11T15:49:37
Last Modified: 2024-08-03T18:58:25.359Z
Copied to clipboard!