{ "threat_severity" : "Moderate", "public_date" : "2021-07-21T06:00:00Z", "bugzilla" : { "description" : "curl: Content not matching hash in Metalink is not being discarded", "id" : "1981435", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1981435" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into downloading malicious content. The highest threat from this vulnerability is to integrity." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-09-21T00:00:00Z", "advisory" : "RHSA-2021:3582", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "curl-0:7.61.1-18.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date" : "2021-10-19T00:00:00Z", "advisory" : "RHSA-2021:3903", "cpe" : "cpe:/o:redhat:rhel_eus:8.2", "package" : "curl-0:7.61.1-12.el8_2.3" } ], "package_state" : [ { "product_name" : ".NET Core 2.1 on Red Hat Enterprise Linux", "fix_state" : "Not affected", "package_name" : "rh-dotnet21-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:2.1" }, { "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux", "fix_state" : "Not affected", "package_name" : "rh-dotnet31-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat JBoss Core Services", "fix_state" : "Affected", "package_name" : "jbcs-httpd24-curl", "cpe" : "cpe:/a:redhat:jboss_core_services:1" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "httpd24-curl", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-22922\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22922\nhttps://curl.se/docs/CVE-2021-22922.html" ], "name" : "CVE-2021-22922", "mitigation" : { "value" : "This flaw can be mitigated by upgrading the affected curl utility to version 7.78.0 or by disabling the metalink feature in your current build", "lang" : "en:us" }, "csaw" : false }