6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22922

GHSA ID

GHSA-975f-fvhv-8mhx

EPSS Score

0.43601%

CWE

CWE-354

Published

5/24/2022

Updated

3/27/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-22922

CVE-2021-22922: When curl is instructed to download content using the metalink feature, thecontents is verified...

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22922

GHSA ID

GHSA-975f-fvhv-8mhx

EPSS Score

0.43601%

CWE

CWE-354

Published

5/24/2022

Updated

3/27/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2021-22922 describes a flaw in curl's metalink feature where downloaded content is not deleted if its hash mismatches the one provided in the metalink XML, potentially leaving malicious files on disk. The fix for this, identified in commit 265b14d6b37c4298bd5556fabcbc37d36f911693, was to remove the entire metalink functionality due to multiple security concerns. The primary vulnerable functions are those within the removed 'src/tool_metalink.c' file. Specifically, 'metalink_check_hash' and the static 'check_hash' function it calls are central to the hash verification process and the failure to correctly handle mismatches by deleting the file. Other functions like 'parse_metalink' (for parsing the XML) and 'metalink_write_cb' (for handling downloaded data) were also part of this vulnerable feature. The removal of these files and their functions is the strongest evidence of their involvement in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *url is instru*t** to *ownlo** *ont*nt usin* t** m*t*link ***tur*, t***ont*nts is v*ri*i** ***inst * **s* provi*** in t** m*t*link XML *il*.T** m*t*link XML *il* points out to t** *li*nt *ow to **t t** s*m* *ont*nt*rom * s*t o* *i***r*nt URLs, p

Reasoning

T** vuln*r**ility *V*-****-***** **s*ri**s * *l*w in *url's m*t*link ***tur* w**r* *ownlo**** *ont*nt is not **l*t** i* its **s* mism*t***s t** on* provi*** in t** m*t*link XML, pot*nti*lly l**vin* m*li*ious *il*s on *isk. T** *ix *or t*is, i**nti*i*

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-22922: When curl is instructed to download content using the metalink feature, thecontents is verified...

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI