curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0613 advisory.

  - A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as     @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states we are in     the process of marking this report as invalid; however, some third parties takes the position that A     prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge     or deep cloning but also when a target object is polluted. (CVE-2022-37616)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the     XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to     access an array at a negative 2GB offset, typically leading to a segmentation fault. (CVE-2022-40303)

  - An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a     hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be     provoked. (CVE-2022-40304)

  - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
    X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME     incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently     interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL     checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may     allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or     enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate     chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these     inputs, the other input must already contain an X.400 address as a CRL distribution point, which is     uncommon. As such, this vulnerability is most likely to only affect applications which have implemented     their own functionality for retrieving CRLs over a network. (CVE-2023-0286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

On March 31, 2021, curl published security updates addressing CVE-2021-22876 and CVE-2021-22890. Previous releases of Puppet Agent contain a vulnerable version of curl. For more information about this vulnerability, refer to the curl security announcements.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202105-36 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

The version of Junos OS installed on the remote host is affected by multiple vulnerabilities as referenced in the JSA11289 advisory.

  - curl 7.1.1 to and including 7.75.0 is vulnerable to an Exposure of Private Personal Information to an     Unauthorized Actor by leaking credentials in the HTTP Referer: header. libcurl does not strip off user     credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing     HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second     HTTP request. (CVE-2021-22876)

  - curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a     connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl     can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote     server and then wrongly short-cut the host handshake. When confusing the tickets, a HTTPS proxy can     trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS     certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious     HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to     work - unless curl has been told to ignore the server certificate check. (CVE-2021-22890)

  - curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the     code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected     cipher set was stored in a single static variable in the library, which has the surprising side-effect     that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will     accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport     security significantly. (CVE-2021-22897)

  - curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as     `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a     flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized     data from a stack based buffer to the server, resulting in potentially revealing sensitive internal     information to the server using a clear-text network protocol. (CVE-2021-22898)

  - curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory     being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in     rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at     run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to     the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used     by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first     transfer object might be freed before the new session is established on that connection and then the     function will access a memory buffer that might be freed. When using that memory, libcurl might even call     a function pointer in the object, making it possible for a remote code execution if the server could     somehow manage to get crafted memory content into the correct place in memory. (CVE-2021-22901)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - curl 7.63.0 to and including 7.75.0 includes     vulnerability that allows a malicious HTTPS proxy to     MITM a connection due to bad handling of TLS 1.3     session tickets. When using a HTTPS proxy and TLS 1.3,     libcurl can confuse session tickets arriving from the     HTTPS proxy but work as if they arrived from the remote     server and then wrongly(CVE-2021-22890)

  - curl 7.1.1 to and including 7.75.0 is vulnerable to an     'Exposure of Private Personal Information to an     Unauthorized Actor' by leaking credentials in the HTTP     Referer: header. libcurl does not strip off user     credentials from the URL when automatically populating     the Referer: HTTP request header field in outgoing HTTP     requests, and therefore risks leaking sensitive data to     the server that is the target of the second HTTP     request.(CVE-2021-22876)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2472 advisory.

    This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss     Core Services offering.

    This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service     Pack 7 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most     significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901)

    * httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)

    * libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169)

    * curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284)

    * curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used     (CVE-2020-8285)

    * curl: Inferior OCSP verification (CVE-2020-8286)

    * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876)

    * curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - curl 7.63.0 to and including 7.75.0 includes     vulnerability that allows a malicious HTTPS proxy to     MITM a connection due to bad handling of TLS 1.3     session tickets. When using a HTTPS proxy and TLS 1.3,     libcurl can confuse session tickets arriving from the     HTTPS proxy but work as if they arrived from the remote     server and then wrongly(CVE-2021-22890)

  - curl 7.1.1 to and including 7.75.0 is vulnerable to an     'Exposure of Private Personal Information to an     Unauthorized Actor' by leaking credentials in the HTTP     Referer: header. libcurl does not strip off user     credentials from the URL when automatically populating     the Referer: HTTP request header field in outgoing HTTP     requests, and therefore risks leaking sensitive data to     the server that is the target of the second HTTP     request(CVE-2021-22876)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way libcurl handled TLS 1.3     session tickets. A malicious HTTPS proxy could possibly     use this flaw to make libcurl resume a TLS session it     previously had with the proxy while intending to resume     a TLS session with a target server, making it possible     for the proxy to perform a man-in-the-middle     attack.(CVE-2021-22890)

  - It was discovered that libcurl did not remove     authentication credentials from URLs when automatically     populating the Referer HTTP request header while     handling HTTP redirects. This could lead to exposure of     the credentials to the server to which requests were     redirected.(CVE-2021-22876)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-cab5c9befb advisory.

  - curl 7.1.1 to and including 7.75.0 is vulnerable to an Exposure of Private Personal Information to an     Unauthorized Actor by leaking credentials in the HTTP Referer: header. libcurl does not strip off user     credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing     HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second     HTTP request. (CVE-2021-22876)

  - curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a     connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl     can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote     server and then wrongly short-cut the host handshake. When confusing the tickets, a HTTPS proxy can     trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS     certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious     HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to     work - unless curl has been told to ignore the server certificate check. (CVE-2021-22890)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Daniel Stenberg reports :

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly 'short-cut' the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed.

This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

An update of the curl package has been released.

This update for curl fixes the following issues :

  - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup     (bsc#1183934)

  - CVE-2021-22876: Automatic referer leaks credentials     (bsc#1183933)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

This update for curl fixes the following issues :

CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934)

CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were discovered in cURL, an URL transfer library :

  - CVE-2020-8169     Marek Szlagor reported that libcurl could be tricked     into prepending a part of the password to the host name     before it resolves it, potentially leaking the partial     password over the network and to the DNS server(s).

  - CVE-2020-8177     sn reported that curl could be tricked by a malicious     server into overwriting a local file when using the -J     (--remote-header-name) and -i (--include) options in the     same command line.

  - CVE-2020-8231     Marc Aldorasi reported that libcurl might use the wrong     connection when an application using libcurl's multi API     sets the option CURLOPT_CONNECT_ONLY, which could lead     to information leaks.

  - CVE-2020-8284     Varnavas Papaioannou reported that a malicious server     could use the PASV response to trick curl into     connecting back to an arbitrary IP address and port,     potentially making curl extract information about     services that are otherwise private and not disclosed.

  - CVE-2020-8285     xnynx reported that libcurl could run out of stack space     when using the FTP wildcard matching functionality     (CURLOPT_CHUNK_BGN_FUNCTION).

  - CVE-2020-8286     It was reported that libcurl didn't verify that an OCSP     response actually matches the certificate it is intended     to.

  - CVE-2021-22876     Viktor Szakats reported that libcurl does not strip off     user credentials from the URL when automatically     populating the Referer HTTP request header field in     outgoing HTTP requests.

  - CVE-2021-22890     Mingtao Yang reported that, when using an HTTPS proxy     and TLS 1.3, libcurl could confuse session tickets     arriving from the HTTPS proxy as if they arrived from     the remote server instead. This could allow an HTTPS     proxy to trick libcurl into using the wrong session     ticket for the host and thereby circumvent the server     TLS certificate check.

New curl packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4898-1 advisory.

    Viktor Szakats discovered that curl did not strip off user credentials from referrer header fields. A     remote attacker could possibly use this issue to obtain sensitive information. (CVE-2021-22876)

    Mingtao Yang discovered that curl incorrectly handled session tickets when using an HTTPS proxy. A remote     attacker in control of an HTTPS proxy could use this issue to bypass certificate checks and intercept     communications. This issue only affected Ubuntu 20.04 LTS and Ubuntu 20.10. (CVE-2021-22890)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
194927	Universal Forwarders < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0614)	Nessus	CGI abuses	critical
194926	Universal Forwarder 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0809)	Nessus	CGI abuses	critical
194919	Splunk Enterprise < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0613)	Nessus	CGI abuses	critical
184145	Puppet Agent 6.x < 6.22.1 / 7.x < 7.6.1 Vulnerability	Nessus	Windows	medium
157003	GLSA-202105-36 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
156677	Juniper Junos OS Multiple Vulnerabilities (JSA11289)	Nessus	Junos Local Security Checks	high
151262	EulerOS 2.0 SP9 : curl (EulerOS-SA-2021-2049)	Nessus	Huawei Local Security Checks	medium
151255	EulerOS 2.0 SP9 : curl (EulerOS-SA-2021-2060)	Nessus	Huawei Local Security Checks	medium
150852	RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 (RHSA-2021:2472)	Nessus	Red Hat Local Security Checks	high
150264	EulerOS Virtualization 2.9.0 : curl (EulerOS-SA-2021-1969)	Nessus	Huawei Local Security Checks	medium
150263	EulerOS Virtualization 2.9.1 : curl (EulerOS-SA-2021-1962)	Nessus	Huawei Local Security Checks	medium
148779	Fedora 33 : curl (2021-cab5c9befb)	Nessus	Fedora Local Security Checks	medium
148517	FreeBSD : curl -- TLS 1.3 session ticket proxy host mixup (d10fc771-958f-11eb-9c34-080027f515ea)	Nessus	FreeBSD Local Security Checks	low
148356	Photon OS 4.0: Curl PHSA-2021-4.0-0007	Nessus	PhotonOS Local Security Checks	medium
148341	Photon OS 3.0: Curl PHSA-2021-3.0-0215	Nessus	PhotonOS Local Security Checks	medium
148340	Photon OS 2.0: Curl PHSA-2021-2.0-0334	Nessus	PhotonOS Local Security Checks	medium
148338	Photon OS 1.0: Curl PHSA-2021-1.0-0377	Nessus	PhotonOS Local Security Checks	medium
148321	openSUSE Security Update : curl (openSUSE-2021-510)	Nessus	SuSE Local Security Checks	medium
148299	SUSE SLED15 / SLES15 Security Update : curl (SUSE-SU-2021:1006-1)	Nessus	SuSE Local Security Checks	medium
148277	Debian DSA-4881-1 : curl - security update	Nessus	Debian Local Security Checks	high
148274	Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2021-090-01)	Nessus	Slackware Local Security Checks	medium
148260	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : curl vulnerabilities (USN-4898-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2021-22890

low

Tenable Plugins

critical

critical

critical

critical

medium

high

high

medium

medium

high

medium

medium

medium

low

medium

medium

medium

medium

medium

medium

high

medium

medium