{"id":"AZL-6365","summary":"CVE-2021-22946 affecting package curl for versions less than 7.82.0-1","details":"A user can tell curl \u003e= 7.20.0 and \u003c= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.","modified":"2026-04-01T05:20:11.191219Z","published":"2021-09-29T20:15:08Z","upstream":["CVE-2021-22946"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22946"}],"affected":[{"package":{"name":"curl","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/curl"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.82.0-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-6365.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}