CVE-2021-22925

MEDIUM

curl 7.7-7.77.0 - Exposure of Sensitive Information via TELNET NEW_ENV Option Parser

Title source: llm
STIX 2.1

Description

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.

References (12)

Core 12
Core References
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2021/Sep/40
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2021/Sep/39
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202212-01
Exploit, Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/1223882

Scores

CVSS v3 5.3
EPSS 0.0024
EPSS Percentile 47.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-200 CWE-908
Status published
Products (33)
None/https://github.com/curl/curl curl 7.7 to and including 7.77.0
apple/mac_os_x 10.15.7 (5 CPE variants)
apple/macos 11.0
apple/macos 11.0.1
apple/macos 11.1
apple/macos 11.1.0
apple/macos 11.2
apple/macos 11.2.1
apple/macos 11.3
apple/macos 11.3.1
... and 23 more
Published Aug 05, 2021
Tracked Since Feb 18, 2026