canonical ubuntu-linux CVE-2021-22924 vulnerability in Canonical and Other Products
Published on August 5, 2021

product logo product logo product logo product logo product logo product logo product logo product logo product logo
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-22924 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2021-22924. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.


Products Associated with CVE-2021-22924

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-22924 are published in these products:

Canonical Ubuntu Linux
 
Haxx Libcurl
 
Fedora Project Fedora
 
Debian Linux
 
NetApp Clustered Data Ontap
 
NetApp Solidfire Hci Management Node
 
Oracle MySQL
 
Oracle Peoplesoft Enterprise Peopletools
 
NetApp Cloud Backup
 
NetApp Solidfire Baseboard Management Controller Firmware
 
Siemens Sinec Infrastructure Network Services
 
Siemens Sinema Remote Connect Server
 
Siemens Sinema Remote Connect
 
Splunk Universal Forwarder
 

Exploit Probability

EPSS
0.75%
Percentile
72.74%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.