curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0613 advisory.

  - A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as     @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states we are in     the process of marking this report as invalid; however, some third parties takes the position that A     prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge     or deep cloning but also when a target object is polluted. (CVE-2022-37616)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the     XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to     access an array at a negative 2GB offset, typically leading to a segmentation fault. (CVE-2022-40303)

  - An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a     hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be     provoked. (CVE-2022-40304)

  - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
    X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME     incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently     interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL     checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may     allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or     enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate     chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these     inputs, the other input must already contain an X.400 address as a CRL distribution point, which is     uncommon. As such, this vulnerability is most likely to only affect applications which have implemented     their own functionality for retrieving CRLs over a network. (CVE-2023-0286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

On May 26, 2021 curl published security updates addressing 3 CVEs: CVE-2021-22897 (Low) CVE-2021-22898 (Medium)  CVE-2021-22901 (High). Previous releases of Puppet Agent contain this vulnerable version of curl.  For more information  about this vulnerability, refer to the curl ecurity announcements.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

For more information about this vulnerability, refer to the security announcements.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of curl installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2021-22901 advisory.

  - curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory     being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in     rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at     run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to     the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used     by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first     transfer object might be freed before the new session is established on that connection and then the     function will access a memory buffer that might be freed. When using that memory, libcurl might even call     a function pointer in the object, making it possible for a remote code execution if the server could     somehow manage to get crafted memory content into the correct place in memory. (CVE-2021-22901)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle HTTP Server installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2022 CPU advisory.

  - Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener     (Apache HTTP Server)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle HTTP Server. Successful attacks of this vulnerability can result in takeover of Oracle HTTP Server.
    CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). (CVE-2021-39275)

  - Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: SSL Module     (cURL)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP     Server. Successful attacks of this vulnerability can result in takeover of Oracle HTTP Server. CVSS 3.1     Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (CVE-2021-22901)

  - Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: SSL Module (Apache     HTTP Server)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP     Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete     access to some of Oracle HTTP Server accessible data and unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle HTTP Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts).
    CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). (CVE-2021-44224)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202105-36 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

The version of Junos OS installed on the remote host is affected by multiple vulnerabilities as referenced in the JSA11289 advisory.

  - curl 7.1.1 to and including 7.75.0 is vulnerable to an Exposure of Private Personal Information to an     Unauthorized Actor by leaking credentials in the HTTP Referer: header. libcurl does not strip off user     credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing     HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second     HTTP request. (CVE-2021-22876)

  - curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a     connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl     can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote     server and then wrongly short-cut the host handshake. When confusing the tickets, a HTTPS proxy can     trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS     certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious     HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to     work - unless curl has been told to ignore the server certificate check. (CVE-2021-22890)

  - curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the     code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected     cipher set was stored in a single static variable in the library, which has the surprising side-effect     that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will     accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport     security significantly. (CVE-2021-22897)

  - curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as     `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a     flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized     data from a stack based buffer to the server, resulting in potentially revealing sensitive internal     information to the server using a clear-text network protocol. (CVE-2021-22898)

  - curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory     being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in     rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at     run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to     the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used     by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first     transfer object might be freed before the new session is established on that connection and then the     function will access a memory buffer that might be freed. When using that memory, libcurl might even call     a function pointer in the object, making it possible for a remote code execution if the server could     somehow manage to get crafted memory content into the correct place in memory. (CVE-2021-22901)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of MySQL running on the remote host is 5.7.x prior to 5.7.35. It is, therefore, affected by multiple vulnerabilities, including the following, as noted in the July 2021 Critical Patch Update advisory:

  - curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being   used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate   circumstances to potentially reach remote code execution in the client. (CVE-2021-22901)

  - LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting   applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.)   (CVE-2019-17543)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected   are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with   network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result   in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
  (CVE-2021-2372)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of MySQL running on the remote host is 8.0.x prior to 8.0.26. It is, therefore, affected by multiple vulnerabilities, including the following, as noted in the July 2021 Critical Patch Update advisory:

  - curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being   used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate   circumstances to potentially reach remote code execution in the client. (CVE-2021-22901)

  - LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting   applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.)   (CVE-2019-17543)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected   are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with   network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result   in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
  (CVE-2021-2372)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Oracle reports :

This Critical Patch Update contains 41 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8.8.

MariaDB is affected by CVE-2021-2372 and CVE-2021-2389 only.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2472 advisory.

    This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss     Core Services offering.

    This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service     Pack 7 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most     significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901)

    * httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)

    * libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169)

    * curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284)

    * curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used     (CVE-2020-8285)

    * curl: Inferior OCSP verification (CVE-2020-8286)

    * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876)

    * curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the curl package has been released.

New curl packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

ID	Name	Product	Family	Severity
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
194927	Universal Forwarders < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0614)	Nessus	CGI abuses	critical
194926	Universal Forwarder 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0809)	Nessus	CGI abuses	critical
194919	Splunk Enterprise < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0613)	Nessus	CGI abuses	critical
184151	Puppet Agent 6.x < 6.23.0 / 7.x < 7.8.0 Multiple Vulnerabilities	Nessus	Windows	high
184149	Puppet Enterprise < 2019.8.7 / 2021.x < 2021.2 Curl Vulnerabilities	Nessus	Misc.	high
172860	CBL Mariner 2.0 Security Update: curl (CVE-2021-22901)	Nessus	MarinerOS Local Security Checks	high
159947	Oracle HTTP Server (Apr 2022 CPU)	Nessus	Web Servers	critical
157003	GLSA-202105-36 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
156677	Juniper Junos OS Multiple Vulnerabilities (JSA11289)	Nessus	Junos Local Security Checks	high
151969	MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)	Nessus	Databases	high
151968	MySQL 8.0.x < 8.0.26 Multiple Vulnerabilities (Jul 2021 CPU)	Nessus	Databases	high
151899	FreeBSD : MySQL -- Multiple vulnerabilities (38a4a043-e937-11eb-9b84-d4c9ef517024)	Nessus	FreeBSD Local Security Checks	high
150852	RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 (RHSA-2021:2472)	Nessus	Red Hat Local Security Checks	high
150072	Photon OS 2.0: Curl PHSA-2021-2.0-0349	Nessus	PhotonOS Local Security Checks	high
150042	Photon OS 4.0: Curl PHSA-2021-4.0-0033	Nessus	PhotonOS Local Security Checks	high
150039	Photon OS 3.0: Curl PHSA-2021-3.0-0243	Nessus	PhotonOS Local Security Checks	high
150035	Photon OS 1.0: Curl PHSA-2021-1.0-0393	Nessus	PhotonOS Local Security Checks	high
150008	Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2021-146-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2021-22901

high

Tenable Plugins

critical

critical

critical

critical

high

high

high

critical

high

high

high

high

high

high

high

high

high

high

high