Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2021-22901 - log back

CVE-2021-22901 edited at 26 May 2021 07:31:22

Severity

-	Unknown
+	High

Remote

-	Unknown
+	Remote

Type

-	Unknown
+	Arbitrary code execution

Description

+

libcurl before version 7.77.0 can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. The flaw can only happen in libcurl built to use OpenSSL.

References

+	https://curl.se/docs/CVE-2021-22901.html
+	https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479

Notes

CVE-2021-22901 created at 26 May 2021 07:25:37