{"id":"CURL-CVE-2021-22925","summary":"TELNET stack contents disclosure again","details":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`\nin libcurl. This rarely used option is used to send variable=content pairs to\nTELNET servers.\n\nDue to flaw in the option parser for sending `NEW_ENV` variables, libcurl\ncould be made to pass on uninitialized data from a stack based buffer to the\nserver. Therefore potentially revealing sensitive internal information to the\nserver using a clear-text network protocol.\n\nThis could happen because curl did not call and use `sscanf()` correctly when\nparsing the string provided by the application.\n\nThe previous curl security vulnerability\n[CVE-2021-22898](https://curl.se/docs/CVE-2021-22898.html) is almost identical\nto this one but the fix was insufficient so this security vulnerability\nremained.","aliases":["CVE-2021-22925"],"modified":"2024-01-16T03:42:48.402718Z","published":"2021-07-21T08:00:00Z","database_specific":{"CWE":{"desc":"Use of Uninitialized Variable","id":"CWE-457"},"award":{"amount":"800","currency":"USD"},"issue":"https://hackerone.com/reports/1223882","affects":"both","www":"https://curl.se/docs/CVE-2021-22925.html","severity":"Medium","package":"curl","last_affected":"7.77.0","URL":"https://curl.se/docs/CVE-2021-22925.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.7"},{"fixed":"7.78.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"},{"fixed":"894f6ec730597eb243618d33cc84d71add8d6a8a"}]}],"versions":["7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7"],"database_specific":{"vanir_signatures":[{"deprecated":false,"id":"CURL-CVE-2021-22925-42b460d0","target":{"file":"lib/telnet.c","function":"suboption"},"signature_type":"Function","digest":{"length":2162,"function_hash":"316933520917559347077501990993139660214"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/894f6ec730597eb243618d33cc84d71add8d6a8a"},{"deprecated":false,"id":"CURL-CVE-2021-22925-6cb4958a","target":{"file":"lib/telnet.c"},"signature_type":"Line","digest":{"line_hashes":["73371219997613798860273049430938336872","246464346227486228829190896668526825182","211103125117598029027713563117906999281","45302255415263079241276111190376578806","66444213479799562148186156236093836400","171170274092991383111325095799231300614","269634034906769680142597048279449049406","89712093938542999602004345946193224210","263138597271543149838825752148738172629"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/894f6ec730597eb243618d33cc84d71add8d6a8a"}],"source":"https://curl.se/docs/CURL-CVE-2021-22925.json"}}],"schema_version":"1.7.3","credits":[{"name":"Red Hat Product Security","type":"FINDER"},{"name":"Red Hat Product Security","type":"REMEDIATION_DEVELOPER"}]}