CVE-2021-22898 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Information disclosure |
| Description | A security issue has been found in curl before version 7.77.0. curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2000 | lib32-libcurl-gnutls | 7.76.1-1 | 7.77.0-1 | Medium | Fixed | |
| AVG-1999 | libcurl-gnutls | 7.76.1-1 | 7.77.0-1 | Medium | Fixed | |
| AVG-1998 | lib32-libcurl-compat | 7.76.1-1 | 7.77.0-1 | High | Fixed | |
| AVG-1997 | libcurl-compat | 7.76.1-1 | 7.77.0-1 | High | Fixed | |
| AVG-1996 | lib32-curl | 7.76.1-1 | 7.77.0-1 | High | Fixed | |
| AVG-1995 | curl | 7.76.1-1 | 7.77.0-1 | High | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 01 Jun 2021 | ASA-202106-9 | AVG-2000 | lib32-libcurl-gnutls | Medium | information disclosure |
| 01 Jun 2021 | ASA-202106-8 | AVG-1999 | libcurl-gnutls | Medium | information disclosure |
| 01 Jun 2021 | ASA-202106-7 | AVG-1998 | lib32-libcurl-compat | High | multiple issues |
| 01 Jun 2021 | ASA-202106-6 | AVG-1997 | libcurl-compat | High | multiple issues |
| 01 Jun 2021 | ASA-202106-5 | AVG-1996 | lib32-curl | High | multiple issues |
| 01 Jun 2021 | ASA-202106-4 | AVG-1995 | curl | High | multiple issues |
| References |
|---|
https://curl.se/docs/CVE-2021-22898.html https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde |
| Notes |
|---|
Workaround ========== The flaw can be mitigated by avoiding to use the -t command line option and CURLOPT_TELNETOPTIONS. |