Miggo Logo

CVE-2021-22923: When curl is instructed to get content using the metalink feature, and a user name and password...

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.25889%
Published
5/24/2022
Updated
3/27/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

I was unable to fetch specific commit information for CVE-2021-22923. The vulnerability description indicates that the issue lies in how curl handles credentials when using the metalink feature, specifically that credentials for the metalink XML file are reused for downloading content from URLs within that file. Without the patch details, I cannot identify the precise functions involved in processing metalinks and handling credentials for subsequent requests. Therefore, I cannot provide a list of vulnerable functions with the required evidence and confidence.

Attempted to find commit information via direct commit URL and by searching, but was unsuccessful in retrieving the patch details needed for precise function identification. The available information describes the vulnerable behavior but does not point to specific code locations without the associated commit diffs or source code analysis of the patch that fixed the issue in curl 7.78.0 (commit ae012ddb4a75c2f0d91016f5c9d999510087f7bd was identified as potentially relevant but its content could not be fetched).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *url is instru*t** to **t *ont*nt usin* t** m*t*link ***tur*, *n* * us*r n*m* *n* p*sswor* *r* us** to *ownlo** t** m*t*link XML *il*, t*os* s*m* *r***nti*ls *r* t**n su*s*qu*ntly p*ss** on to **** o* t** s*rv*rs *rom w*i** *url will *ownlo** or

Reasoning

I w*s un**l* to **t** sp**i*i* *ommit in*orm*tion *or *V*-****-*****. T** vuln*r**ility **s*ription in*i**t*s t**t t** issu* li*s in *ow *url **n*l*s *r***nti*ls w**n usin* t** m*t*link ***tur*, sp**i*i**lly t**t *r***nti*ls *or t** m*t*link XML *il*