CVE-2021-22922: When curl is instructed to download content using the metalink feature, thecontents is verified...
6.5
Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2021-22922 describes a flaw in curl's metalink feature where downloaded content is not deleted if its hash mismatches the one provided in the metalink XML, potentially leaving malicious files on disk. The fix for this, identified in commit 265b14d6b37c4298bd5556fabcbc37d36f911693, was to remove the entire metalink functionality due to multiple security concerns. The primary vulnerable functions are those within the removed 'src/tool_metalink.c' file. Specifically, 'metalink_check_hash' and the static 'check_hash' function it calls are central to the hash verification process and the failure to correctly handle mismatches by deleting the file. Other functions like 'parse_metalink' (for parsing the XML) and 'metalink_write_cb' (for handling downloaded data) were also part of this vulnerable feature. The removal of these files and their functions is the strongest evidence of their involvement in the vulnerability.