2023-04-24 12:24:31 +02:00
{
"id" : "CVE-2021-22923" ,
"sourceIdentifier" : "support@hackerone.com" ,
"published" : "2021-08-05T21:15:11.293" ,
2024-03-27 17:03:28 +00:00
"lastModified" : "2024-03-27T15:11:51.407" ,
"vulnStatus" : "Analyzed" ,
2024-07-14 02:06:08 +00:00
"cveTags" : [ ] ,
2023-04-24 12:24:31 +02:00
"descriptions" : [
{
"lang" : "en" ,
"value" : "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened."
} ,
{
"lang" : "es" ,
"value" : "Cuando es instruido a curl de obtener contenidos usando la funcionalidad metalink, y se usan un nombre de usuario y una contrase\u00f1a para descargar el archivo XML metalink, esas mismas credenciales se pasan subsecuentemente a cada uno de los servidores de los que curl descargar\u00e1 o intentar\u00e1 descargar los contenidos. A menudo, en contra de las expectativas e intenciones del usuario y sin avisarle de lo sucedido"
}
] ,
"metrics" : {
"cvssMetricV31" : [
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"cvssData" : {
"version" : "3.1" ,
"vectorString" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" ,
"attackVector" : "NETWORK" ,
"attackComplexity" : "HIGH" ,
"privilegesRequired" : "NONE" ,
"userInteraction" : "REQUIRED" ,
"scope" : "UNCHANGED" ,
"confidentialityImpact" : "HIGH" ,
"integrityImpact" : "NONE" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 5.3 ,
"baseSeverity" : "MEDIUM"
} ,
"exploitabilityScore" : 1.6 ,
"impactScore" : 3.6
}
] ,
"cvssMetricV2" : [
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"cvssData" : {
"version" : "2.0" ,
"vectorString" : "AV:N/AC:H/Au:N/C:P/I:N/A:N" ,
"accessVector" : "NETWORK" ,
"accessComplexity" : "HIGH" ,
"authentication" : "NONE" ,
"confidentialityImpact" : "PARTIAL" ,
"integrityImpact" : "NONE" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 2.6
} ,
"baseSeverity" : "LOW" ,
"exploitabilityScore" : 4.9 ,
"impactScore" : 2.9 ,
"acInsufInfo" : false ,
"obtainAllPrivilege" : false ,
"obtainUserPrivilege" : false ,
"obtainOtherPrivilege" : false ,
"userInteractionRequired" : true
}
]
} ,
"weaknesses" : [
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"description" : [
2023-06-30 18:00:43 +00:00
{
"lang" : "en" ,
"value" : "CWE-319"
} ,
2023-04-24 12:24:31 +02:00
{
"lang" : "en" ,
"value" : "CWE-522"
}
]
} ,
{
2024-03-27 17:03:28 +00:00
"source" : "support@hackerone.com" ,
2023-04-24 12:24:31 +02:00
"type" : "Secondary" ,
"description" : [
{
"lang" : "en" ,
"value" : "CWE-319"
}
]
}
] ,
"configurations" : [
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "7.27.0" ,
"versionEndExcluding" : "7.78.0" ,
"matchCriteriaId" : "9900B00E-B0BA-4E8B-89EA-B66E97AC406D"
}
]
}
]
} ,
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "E460AA51-FCDA-46B9-AE97-E6676AA5E194"
}
]
}
]
} ,
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "5C2089EE-5D7F-47EC-8EA5-0F69790564C4"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "1FE996B1-6951-4F85-AA58-B99A379D2163"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "A3C19813-E823-456A-B1CE-EC0684CE1953"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737"
}
]
}
]
} ,
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "5.7.0" ,
"versionEndIncluding" : "5.7.35" ,
"matchCriteriaId" : "E667933A-37EA-4BC2-9180-C3B4B7038866"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "8.0.0" ,
"versionEndIncluding" : "8.0.26" ,
"matchCriteriaId" : "709E83B4-8C66-4255-870B-2F72B37BA8C6"
}
]
}
]
} ,
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*" ,
"versionEndExcluding" : "1.0.1.1" ,
"matchCriteriaId" : "B0F46497-4AB0-49A7-9453-CC26837BF253"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "6770B6C3-732E-4E22-BF1C-2D2FD610061C"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "9F9C8C20-42EB-4AB5-BD97-212DEB070C43"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "7FFF7106-ED78-49BA-9EC5-B889E3685D53"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "56409CEC-5A1E-4450-AA42-641E459CC2AF"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "B06F4839-D16A-4A61-9BB5-55B13F41E47F"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "108A2215-50FB-4074-94CF-C130FA14566D"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "7AFC73CE-ABB9-42D3-9A71-3F5BC5381E0E"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "32F0B6C0-F930-480D-962B-3F4EFDCC13C7"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "803BC414-B250-4E3A-A478-A3881340D6B8"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "0FEB3337-BFDE-462A-908B-176F92053CEC"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "736AEAE9-782B-4F71-9893-DED53367E102"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "D0B4AD8A-F172-4558-AEC6-FF424BA2D912"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "8497A4C9-8474-4A62-8331-3FE862ED4098"
}
]
}
]
2024-03-27 17:03:28 +00:00
} ,
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "8.2.0" ,
"versionEndExcluding" : "8.2.12" ,
"matchCriteriaId" : "5722E753-75DE-4944-A11B-556CB299B57D"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "9.0.0" ,
"versionEndExcluding" : "9.0.6" ,
"matchCriteriaId" : "DC0F9351-81A4-4FEA-B6B5-6E960A933D32"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "EED24E67-2957-4C1B-8FEA-E2D2FE7B97FC"
}
]
}
]
2023-04-24 12:24:31 +02:00
}
] ,
"references" : [
{
"url" : "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" ,
"source" : "support@hackerone.com" ,
"tags" : [
"Patch" ,
"Third Party Advisory"
]
} ,
{
"url" : "https://hackerone.com/reports/1213181" ,
"source" : "support@hackerone.com" ,
"tags" : [
"Exploit" ,
"Issue Tracking" ,
"Third Party Advisory"
]
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/" ,
2024-03-27 17:03:28 +00:00
"source" : "support@hackerone.com" ,
"tags" : [
"Mailing List" ,
"Third Party Advisory"
]
2023-04-24 12:24:31 +02:00
} ,
{
"url" : "https://security.gentoo.org/glsa/202212-01" ,
"source" : "support@hackerone.com" ,
"tags" : [
"Third Party Advisory"
]
} ,
{
"url" : "https://security.netapp.com/advisory/ntap-20210902-0003/" ,
"source" : "support@hackerone.com" ,
"tags" : [
"Third Party Advisory"
]
} ,
{
"url" : "https://www.oracle.com/security-alerts/cpuoct2021.html" ,
"source" : "support@hackerone.com" ,
"tags" : [
"Patch" ,
"Third Party Advisory"
]
}
]
}
