First published: Mon Jul 12 2021(Updated: )
A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into downloading malicious content. The highest threat from this vulnerability is to integrity.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/curl | <0:7.61.1-18.el8_4.1 | 0:7.61.1-18.el8_4.1 |
redhat/curl | <0:7.61.1-12.el8_2.3 | 0:7.61.1-12.el8_2.3 |
redhat/curl | <7.78.0 | 7.78.0 |
Curl | >=7.27.0<7.78.0 | |
Fedora | =33 | |
netapp cloud backup | ||
IBM Data ONTAP | ||
netapp hci management node | ||
netapp solidfire | ||
MySQL | >=5.7.0<=5.7.35 | |
MySQL | >=8.0.0<=8.0.26 | |
siemens sinec infrastructure network services | <1.0.1.1 | |
All of | ||
netapp h300s firmware | ||
netapp h300s | ||
All of | ||
NetApp H500S Firmware | ||
netapp h500s | ||
All of | ||
netapp h700s firmware | ||
netapp h700s | ||
All of | ||
netapp h300e firmware | ||
netapp h300e | ||
All of | ||
netapp h500e firmware | ||
netapp h500e | ||
All of | ||
netapp h700e firmware | ||
netapp h700e | ||
All of | ||
netapp h410s firmware | ||
netapp h410s | ||
Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
Splunk Universal Forwarder | =9.1.0 | |
netapp h300s firmware | ||
netapp h300s | ||
NetApp H500S Firmware | ||
netapp h500s | ||
netapp h700s firmware | ||
netapp h700s | ||
netapp h300e firmware | ||
netapp h300e | ||
netapp h500e firmware | ||
netapp h500e | ||
netapp h700e firmware | ||
netapp h700e | ||
netapp h410s firmware | ||
netapp h410s |
This flaw can be mitigated by upgrading the affected curl utility to version 7.78.0 or by disabling the metalink feature in your current build
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-22922 is a vulnerability in curl that allows a file hash mismatch after downloading content using the metalink feature.
When curl is instructed to download content using the metalink feature, the contents are verified against a hash provided in the metalink XML file.
CVE-2021-22922 has a severity rating of 6.5 (medium).
The vulnerability affects curl versions up to but excluding 7.78.0.
More information about CVE-2021-22922 can be found on the GitHub commit, Red Hat Bugzilla, and the curl website.