1. CVE-Search
  2. CVE-2021-22901
ID CVE-2021-22901
Summary curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
References
Vulnerable Configurations
  • cpe:2.3:a:haxx:curl:7.75.0:*:*:*:*:*:*:*
    cpe:2.3:a:haxx:curl:7.75.0:*:*:*:*:*:*:*
  • cpe:2.3:a:haxx:curl:7.76.0:*:*:*:*:*:*:*
    cpe:2.3:a:haxx:curl:7.76.0:*:*:*:*:*:*:*
  • cpe:2.3:a:haxx:curl:7.76.1:*:*:*:*:*:*:*
    cpe:2.3:a:haxx:curl:7.76.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_server:8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_server:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_server:8.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_server:8.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_server:8.0.17:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_server:8.0.17:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_server:8.0.22:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_server:8.0.22:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_server:8.0.23:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_server:8.0.23:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_server:8.0.24:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_server:8.0.24:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_server:8.0.25:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_server:8.0.25:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:essbase:21.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:essbase:21.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_server:5.7.27:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_server:5.7.27:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
    cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
  • cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*
    cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*
  • cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
  • cpe:2.3:a:siemens:sinec_infrastructure_network_services:-:*:*:*:*:*:*:*
    cpe:2.3:a:siemens:sinec_infrastructure_network_services:-:*:*:*:*:*:*:*
  • cpe:2.3:a:siemens:sinec_infrastructure_network_services:1.0.1:-:*:*:*:*:*:*
    cpe:2.3:a:siemens:sinec_infrastructure_network_services:1.0.1:-:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:9.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:9.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:9.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:9.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:9.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:9.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:9.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:9.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:9.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:9.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:9.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:9.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:8.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:8.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:8.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:8.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:8.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:8.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:8.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:8.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:8.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:8.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:splunk:universal_forwarder:8.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:splunk:universal_forwarder:8.2.11:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 27-03-2024 - 15:12)
Impact:
Exploitability:
CWE CWE-416
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
Last major update 27-03-2024 - 15:12
Published 11-06-2021 - 16:15
Last modified 27-03-2024 - 15:12
Back to Top