CVE-2021-22923

MEDIUM

curl - Metalink Feature - Auth Bypass

Title source: llm

Description

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

References (6)

[Patch, Third Party Advisory] https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/1213181

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/

[Third Party Advisory] https://security.gentoo.org/glsa/202212-01

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210902-0003/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 5.3

EPSS 0.0012

EPSS Percentile 31.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-319 CWE-522

Status published

Affected Products (17)

haxx/curl < 7.78.0

fedoraproject/fedora

netapp/cloud_backup

netapp/clustered_data_ontap

netapp/hci_management_node

netapp/solidfire

oracle/mysql_server < 5.7.35

siemens/sinec_infrastructure_network_services < 1.0.1.1

netapp/h300s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

netapp/h300e_firmware

netapp/h500e_firmware

netapp/h700e_firmware

netapp/h410s_firmware

... and 2 more

Timeline

Published Aug 05, 2021

Tracked Since Feb 18, 2026