2021-06-07
ALT-BU-2021-3955-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Published: 2021-04-27
BDU:2021-03580
Уязвимость функции sscanf() библиотеки libcurl программного средства для взаимодействия с серверами CURL, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Severity: LOW (3.1)
Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
References:
Published: 2021-06-11
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2021-22898
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.
Severity: LOW (3.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
References:
- [oss-security] 20210721 [SECURITY ADVISORY] curl: TELNET stack contents disclosure again
- [oss-security] 20210721 [SECURITY ADVISORY] curl: TELNET stack contents disclosure again
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://curl.se/docs/CVE-2021-22898.html
- https://curl.se/docs/CVE-2021-22898.html
- https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde
- https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde
- https://hackerone.com/reports/1176461
- https://hackerone.com/reports/1176461
- [guacamole-issues] 20210618 [jira] [Created] (GUACAMOLE-1368) Latest docker image fails security scans.
- [guacamole-issues] 20210618 [jira] [Created] (GUACAMOLE-1368) Latest docker image fails security scans.
- [debian-lts-announce] 20210813 [SECURITY] [DLA 2734-1] curl security update
- [debian-lts-announce] 20210813 [SECURITY] [DLA 2734-1] curl security update
- [debian-lts-announce] 20220828 [SECURITY] [DLA 3085-1] curl security update
- [debian-lts-announce] 20220828 [SECURITY] [DLA 3085-1] curl security update
- FEDORA-2021-5d21b90a30
- FEDORA-2021-5d21b90a30
- FEDORA-2021-83fdddca0f
- FEDORA-2021-83fdddca0f
- DSA-5197
- DSA-5197
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html