CVE-2021-22925

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.
Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:apple:macos:11.0:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.0.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.1.0:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.2:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.3:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.3.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.4:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.5:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

History

14 Jun 2022, 11:15

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf -

16 May 2022, 20:24

Type Values Removed Values Added
First Time Siemens sinec Infrastructure Network Services
Siemens
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory
CPE cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

10 Mar 2022, 17:41

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -

04 Mar 2022, 18:43

Type Values Removed Values Added
First Time Oracle peoplesoft Enterprise Peopletools
References (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
CPE cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

07 Feb 2022, 16:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

10 Dec 2021, 17:07

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/40 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/40 - Mailing List, Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/39 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/39 - Mailing List, Third Party Advisory

20 Oct 2021, 11:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

22 Sep 2021, 00:15

Type Values Removed Values Added
References
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/40 -
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/39 -

21 Sep 2021, 19:09

Type Values Removed Values Added
CPE cpe:2.3:o:apple:macos:11.4:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.5:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.0.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.1:*:*:*:*:*:*:*
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.3.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.1.0:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.3:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.0:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:11.2:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
References (CONFIRM) https://support.apple.com/kb/HT212804 - (CONFIRM) https://support.apple.com/kb/HT212804 - Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT212805 - (CONFIRM) https://support.apple.com/kb/HT212805 - Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20210902-0003/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20210902-0003/ - Third Party Advisory

21 Sep 2021, 04:15

Type Values Removed Values Added
References
  • (CONFIRM) https://support.apple.com/kb/HT212804 -
  • (CONFIRM) https://support.apple.com/kb/HT212805 -

02 Sep 2021, 09:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210902-0003/ -

16 Aug 2021, 17:23

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ - Mailing List, Third Party Advisory
References (MISC) https://hackerone.com/reports/1223882 - (MISC) https://hackerone.com/reports/1223882 - Exploit, Issue Tracking, Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 5.3
CWE CWE-908
CPE cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

05 Aug 2021, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-08-05 21:15

Updated : 2022-06-14 11:15


NVD link : CVE-2021-22925

Mitre link : CVE-2021-22925


JSON object : View

Products Affected

fedoraproject

  • fedora

siemens

  • sinec_infrastructure_network_services

haxx

  • curl

netapp

  • hci_management_node
  • solidfire
  • clustered_data_ontap

oracle

  • mysql_server
  • peoplesoft_enterprise_peopletools

apple

  • macos
  • mac_os_x
CWE
CWE-908

Use of Uninitialized Resource