{"id":"CURL-CVE-2021-22946","summary":"Protocol downgrade required TLS bypassed","details":"A user can tell curl to **require** a successful upgrade to TLS when speaking\nto an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or\n`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` with\nlibcurl). This requirement could be bypassed if the server would return a\nproperly crafted but perfectly legitimate response.\n\nThis flaw would then make curl silently continue its operations **without\nTLS** contrary to the instructions and expectations, exposing possibly\nsensitive data in clear text over the network.","aliases":["CVE-2021-22946"],"modified":"2025-05-15T17:48:29Z","published":"2021-09-15T08:00:00Z","database_specific":{"URL":"https://curl.se/docs/CVE-2021-22946.json","package":"curl","last_affected":"7.78.0","issue":"https://hackerone.com/reports/1334111","affects":"both","CWE":{"id":"CWE-325","desc":"Missing Cryptographic Step"},"www":"https://curl.se/docs/CVE-2021-22946.html","award":{"currency":"USD","amount":"1000"},"severity":"Medium"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.20.0"},{"fixed":"7.79.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ec3bb8f727405642a471b4b1b9eb0118fc003104"},{"fixed":"364f174724ef115c63d5e5dc1d3342c8a43b1cca"}]}],"versions":["7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2021-22946.json","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca","digest":{"function_hash":"119534646122701985596810460089461806602","length":1486},"target":{"function":"pop3_state_capa_resp","file":"lib/pop3.c"},"signature_type":"Function","id":"CURL-CVE-2021-22946-5f144596","deprecated":false},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca","digest":{"function_hash":"121882031565920873706884467438821109063","length":1471},"target":{"function":"imap_state_capability_resp","file":"lib/imap.c"},"signature_type":"Function","id":"CURL-CVE-2021-22946-6defda8f","deprecated":false},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca","digest":{"threshold":0.9,"line_hashes":["125838389204512113423578826374606434992","289602762837242666987156914818922613493","179171292872106229507560278029362949039","288183765666519644003398509602037908454","92508471392044878020809282144142973764","200716318166034695299793617317441905028","237539205585906697208226242736627223267","20172918918252435435422593274820650882","235600200177529034152567186523785762009","143830830183920108636701400704792267639","35472489082358076191769788912533366959","88812204812933384223701543032769186504","291080297044442490145969548900492739442","257361159714823355691712236385661725414","76837617488293126025358191560235520828","321745199110042869894544453879523682123","236983781727613756833659268006828230790","183921628708148935400984650042871557218","312127172919749259694804839433778911310","302199932979784542806140613615325286349"]},"target":{"file":"lib/pop3.c"},"signature_type":"Line","id":"CURL-CVE-2021-22946-8a197a56","deprecated":false},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca","digest":{"function_hash":"289860418622821423771754231295939751145","length":7576},"target":{"function":"ftp_statemachine","file":"lib/ftp.c"},"signature_type":"Function","id":"CURL-CVE-2021-22946-abca795e","deprecated":false},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca","digest":{"threshold":0.9,"line_hashes":["153395863378133571935343146735379407744","285266200701391789832679611765445470611","75615830266170096220067674219446968251","283250084680294900096067565593327260752","127576657757363583813654428021904906681"]},"target":{"file":"lib/ftp.c"},"signature_type":"Line","id":"CURL-CVE-2021-22946-b86032a9","deprecated":false},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca","digest":{"threshold":0.9,"line_hashes":["160527311452759011857898395095269034512","247702492148198457153099115426495892305","154804548404177128963963377829403231875","259679513203107684038850942954233625244","90769121037072737445177478066611626150","37330564880920412587598882536275988455","233502198189969766495942293457048742564","109799684212471158941812409729383557254","271634642669636656141958387753194484974","93224878428641017968236855875397843824","178215163249609003722299128452939284865","88812204812933384223701543032769186504","206622970588395643049612311944086829084","338141911970717966837196764238683293762","88326400223103428612539330923746679711","279768642943648353458040874399811963366"]},"target":{"file":"lib/imap.c"},"signature_type":"Line","id":"CURL-CVE-2021-22946-ba776a99","deprecated":false}]}}],"schema_version":"1.7.3","credits":[{"name":"Patrick Monnerat","type":"FINDER"},{"name":"Patrick Monnerat","type":"REMEDIATION_DEVELOPER"}]}