{ "threat_severity" : "Low", "public_date" : "2021-07-21T00:00:00Z", "bugzilla" : { "description" : "curl: Incorrect fix for CVE-2021-22898 TELNET stack contents disclosure", "id" : "1970902", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1970902" }, "cvss3" : { "cvss3_base_score" : "3.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-908", "details" : [ "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.", "A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol." ], "acknowledgement" : "This issue was discovered by Red Hat Product Security.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4511", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "curl-0:7.61.1-22.el8" } ], "package_state" : [ { "product_name" : ".NET Core 2.1 on Red Hat Enterprise Linux", "fix_state" : "Will not fix", "package_name" : "rh-dotnet21-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:2.1" }, { "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux", "fix_state" : "Will not fix", "package_name" : "rh-dotnet31-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat JBoss Core Services", "fix_state" : "Affected", "package_name" : "jbcs-httpd24-curl", "cpe" : "cpe:/a:redhat:jboss_core_services:1" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Fix deferred", "package_name" : "httpd24-curl", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-22925\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22925" ], "name" : "CVE-2021-22925", "mitigation" : { "value" : "This issue can be avoided by not setting any telnet options for the curl command line tool (using the -t / --telnet-option command line option) or the libcurl library (using the CURLOPT_TELNETOPTIONS option) when telnet protocol is not meant to be used.\nIf telnet protocol needs to be used with curl / libcurl, along with the NEW_ENV telnet option, ensure that no environment variable set via the NEW_ENV option has the name or value longer than 127 bytes.", "lang" : "en:us" }, "csaw" : false }