Miggo Logo

CVE-2021-22922: When curl is instructed to download content using the metalink feature, thecontents is verified...

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.43601%
Published
5/24/2022
Updated
3/27/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2021-22922 describes a flaw in curl's metalink feature where downloaded content is not deleted if its hash mismatches the one provided in the metalink XML, potentially leaving malicious files on disk. The fix for this, identified in commit 265b14d6b37c4298bd5556fabcbc37d36f911693, was to remove the entire metalink functionality due to multiple security concerns. The primary vulnerable functions are those within the removed 'src/tool_metalink.c' file. Specifically, 'metalink_check_hash' and the static 'check_hash' function it calls are central to the hash verification process and the failure to correctly handle mismatches by deleting the file. Other functions like 'parse_metalink' (for parsing the XML) and 'metalink_write_cb' (for handling downloaded data) were also part of this vulnerable feature. The removal of these files and their functions is the strongest evidence of their involvement in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *url is instru*t** to *ownlo** *ont*nt usin* t** m*t*link ***tur*, t***ont*nts is v*ri*i** ***inst * **s* provi*** in t** m*t*link XML *il*.T** m*t*link XML *il* points out to t** *li*nt *ow to **t t** s*m* *ont*nt*rom * s*t o* *i***r*nt URLs, p

Reasoning

T** vuln*r**ility *V*-****-***** **s*ri**s * *l*w in *url's m*t*link ***tur* w**r* *ownlo**** *ont*nt is not **l*t** i* its **s* mism*t***s t** on* provi*** in t** m*t*link XML, pot*nti*lly l**vin* m*li*ious *il*s on *isk. T** *ix *or t*is, i**nti*i*