Your submission was sent successfully! Close

CVE-2021-22923

Published: 21 July 2021

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not compiled)
focal Not vulnerable
(code not compiled)
groovy Not vulnerable
(code not compiled)
hirsute Not vulnerable
(code not compiled)
impish Not vulnerable
(code not compiled)
jammy Not vulnerable
(code not compiled)
trusty Not vulnerable
(code not compiled)
upstream
Released (7.78.0)
xenial Not vulnerable
(code not compiled)

Notes

AuthorNote
mdeslaur
introduced in 7.27.0
per upstream "curl has completely removed the metalink feature
as of 7.78.0. No fix for this flaw will be produced by the curl
project. The fix for earlier versions is to rebuild curl
with the metalink support switched off!"
Ubuntu builds curl with metalink support switched off already.

References

Bugs