Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 21 July 2021

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.


introduced in 7.27.0
per upstream "curl has completely removed the metalink feature
as of 7.78.0. No fix for this flaw will be produced by the curl
project. The fix for earlier versions is to rebuild curl
with the metalink support switched off!"
Ubuntu builds curl with metalink support switched off already.



Cvss 3 Severity Score


Score breakdown


Package Release Status
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not compiled)
focal Not vulnerable
(code not compiled)
groovy Not vulnerable
(code not compiled)
hirsute Not vulnerable
(code not compiled)
impish Not vulnerable
(code not compiled)
jammy Not vulnerable
(code not compiled)
trusty Not vulnerable
(code not compiled)
Released (7.78.0)
xenial Not vulnerable
(code not compiled)

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N