CVE-2021-22898

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-22898
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

3.1 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.6 /10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:N/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
http://www.openwall.com/lists/oss-security/2021/07/21/4 Mailing List Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch Third Party Advisory
https://curl.se/docs/CVE-2021-22898.html Exploit Patch Vendor Advisory
https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde Patch Third Party Advisory
https://hackerone.com/reports/1176461 Exploit Issue Tracking Patch Third Party Advisory
https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/ Mailing List Third Party Advisory
https://www.debian.org/security/2022/dsa-5197 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
History

27 Mar 2024, 15:47

Type Values Removed Values Added
References () https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E - () https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/ - Mailing List, Third Party Advisory
CPE cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
First Time Splunk
Splunk universal Forwarder

07 Nov 2023, 03:30

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E', 'name': '[guacamole-issues] 20210618 [jira] [Created] (GUACAMOLE-1368) Latest docker image fails security scans.', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/', 'name': 'FEDORA-2021-83fdddca0f', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/', 'name': 'FEDORA-2021-5d21b90a30', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/ -
  • () https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E -

30 Aug 2022, 19:09

Type Values Removed Values Added
References (DEBIAN) https://www.debian.org/security/2022/dsa-5197 - (DEBIAN) https://www.debian.org/security/2022/dsa-5197 - Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html - Third Party Advisory

29 Aug 2022, 01:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html -

02 Aug 2022, 03:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5197 -

13 May 2022, 17:29

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
First Time Oracle communications Cloud Native Core Network Slice Selection Function
Oracle communications Cloud Native Core Binding Support Function
Oracle communications Cloud Native Core Service Communication Proxy
Oracle communications Cloud Native Core Network Function Cloud Native Environment
Oracle communications Cloud Native Core Network Repository Function
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

20 Apr 2022, 00:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

06 Apr 2022, 13:20

Type Values Removed Values Added
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory
References (MISC) https://hackerone.com/reports/1176461 - Exploit, Issue Tracking, Third Party Advisory (MISC) https://hackerone.com/reports/1176461 - Exploit, Issue Tracking, Patch, Third Party Advisory
First Time Siemens sinec Infrastructure Network Services
Siemens
CPE cpe:2.3:a:apache:guacamole:1.3.0:-:*:*:*:*:*:* cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

10 Mar 2022, 17:41

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -

04 Mar 2022, 18:45

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
First Time Oracle essbase

07 Feb 2022, 16:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

20 Sep 2021, 12:17

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html - Mailing List, Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2021/07/21/4 - (MLIST) http://www.openwall.com/lists/oss-security/2021/07/21/4 - Mailing List, Patch, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ - Mailing List, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/ - Mailing List, Third Party Advisory
References (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*

13 Aug 2021, 07:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ -

07 Aug 2021, 03:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/ -

23 Jul 2021, 03:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2021/07/21/4 -

21 Jul 2021, 15:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

01 Jul 2021, 15:16

Type Values Removed Values Added
CVSS v2 : 5.0
v3 : 7.5 		v2 : 2.6
v3 : 3.1

22 Jun 2021, 16:23

Type Values Removed Values Added
References (MLIST) https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E - Mailing List, Third Party Advisory
References (MISC) https://curl.se/docs/CVE-2021-22898.html - (MISC) https://curl.se/docs/CVE-2021-22898.html - Exploit, Patch, Vendor Advisory
References (MISC) https://hackerone.com/reports/1176461 - (MISC) https://hackerone.com/reports/1176461 - Exploit, Issue Tracking, Third Party Advisory
References (MISC) https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde - (MISC) https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde - Patch, Third Party Advisory
CPE cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:guacamole:1.3.0:-:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : 5.0
v3 : 7.5
CWE CWE-909

18 Jun 2021, 15:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E -

11 Jun 2021, 17:18

Type Values Removed Values Added
New CVE
Information

Published : 2021-06-11 16:15

Updated : 2024-03-27 15:47

NVD link : CVE-2021-22898

Mitre link : CVE-2021-22898

CVE.ORG link : CVE-2021-22898

JSON object : View

Products Affected

oracle

  • communications_cloud_native_core_binding_support_function
  • communications_cloud_native_core_network_slice_selection_function
  • essbase
  • communications_cloud_native_core_service_communication_proxy
  • communications_cloud_native_core_network_function_cloud_native_environment
  • communications_cloud_native_core_network_repository_function
  • mysql_server

siemens

  • sinec_infrastructure_network_services

splunk

  • universal_forwarder

fedoraproject

  • fedora

debian

  • debian_linux

haxx

  • curl
CWE
CWE-909

Missing Initialization of Resource

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor