Description
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202212-01
Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/1213181
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210902-0003/
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Scores
CVSS v3
5.3
EPSS
0.0007
EPSS Percentile
20.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-319
CWE-522
Status
published
Products (17)
fedoraproject/fedora
33
haxx/curl
7.27.0 - 7.78.0
netapp/cloud_backup
netapp/clustered_data_ontap
netapp/h300e_firmware
netapp/h300s_firmware
netapp/h410s_firmware
netapp/h500e_firmware
netapp/h500s_firmware
netapp/h700e_firmware
... and 7 more
Published
Aug 05, 2021
Tracked Since
Feb 18, 2026