CVE-2021-22898 log

Severity Medium
Remote Yes
Type Information disclosure
A security issue has been found in curl before version 7.77.0. curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.
Group Package Affected Fixed Severity Status Ticket
AVG-2000 lib32-libcurl-gnutls 7.76.1-1 7.77.0-1 Medium Fixed
AVG-1999 libcurl-gnutls 7.76.1-1 7.77.0-1 Medium Fixed
AVG-1998 lib32-libcurl-compat 7.76.1-1 7.77.0-1 High Fixed
AVG-1997 libcurl-compat 7.76.1-1 7.77.0-1 High Fixed
AVG-1996 lib32-curl 7.76.1-1 7.77.0-1 High Fixed
AVG-1995 curl 7.76.1-1 7.77.0-1 High Fixed
Date Advisory Group Package Severity Type
01 Jun 2021 ASA-202106-9 AVG-2000 lib32-libcurl-gnutls Medium information disclosure
01 Jun 2021 ASA-202106-8 AVG-1999 libcurl-gnutls Medium information disclosure
01 Jun 2021 ASA-202106-7 AVG-1998 lib32-libcurl-compat High multiple issues
01 Jun 2021 ASA-202106-6 AVG-1997 libcurl-compat High multiple issues
01 Jun 2021 ASA-202106-5 AVG-1996 lib32-curl High multiple issues
01 Jun 2021 ASA-202106-4 AVG-1995 curl High multiple issues

The flaw can be mitigated by avoiding to use the -t command line option and CURLOPT_TELNETOPTIONS.