CVE-2021-22947: When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using...

The vulnerability (CVE-2021-22947) in curl allowed a Man-In-The-Middle (MITM) attacker to inject responses during STARTTLS negotiation for IMAP, POP3, SMTP, and FTP. Curl would cache these responses before the TLS handshake and then trust them after the handshake, as if they were authenticated. The fix, identified in commit 8ef147c43646e91, involves adding a check in the respective protocol state machines (ftp_statemachine, imap_state_starttls_resp, pop3_state_starttls_resp, smtp_state_starttls_resp). This check verifies if there's any data in the protocol's pingpong cache (pp->cache_size) after receiving the STARTTLS response. If cached data exists, it indicates a pipelined response from before the TLS upgrade, and curl now returns an error (CURLE_WEIRD_SERVER_REPLY), effectively flushing or ignoring these untrusted, cached responses. The vulnerable functions are these state handlers that, prior to the patch, would have processed these cached responses.