{"id":"CURL-CVE-2021-22947","summary":"STARTTLS protocol injection via MITM","details":"When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data\nsecurely using STARTTLS to upgrade the connection to TLS level, the server can\nstill respond and send back multiple responses before the TLS upgrade. Such\nmultiple *pipelined* responses are cached by curl. curl would then upgrade to\nTLS but not flush the in-queue of cached responses and instead use and trust\nthe responses it got *before* the TLS handshake as if they were authenticated.\n\nUsing this flaw, it allows a Man-In-The-Middle attacker to first inject the\nfake responses, then pass-through the TLS traffic from the legitimate server\nand trick curl into sending data back to the user thinking the attacker's\ninjected data comes from the TLS-protected server.\n\nOver POP3 and IMAP an attacker can inject fake response data.","aliases":["CVE-2021-22947"],"modified":"2026-04-25T20:30:23.439121Z","published":"2021-09-15T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/1334763","www":"https://curl.se/docs/CVE-2021-22947.html","last_affected":"7.78.0","award":{"currency":"USD","amount":"1500"},"package":"curl","affects":"both","severity":"Medium","CWE":{"desc":"Acceptance of Extraneous Untrusted Data With Trusted Data","id":"CWE-349"},"URL":"https://curl.se/docs/CVE-2021-22947.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.20.0"},{"fixed":"7.79.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ec3bb8f727405642a471b4b1b9eb0118fc003104"},{"fixed":"8ef147c43646e91fdaad5d0e7b60351f842e5c68"}]}],"versions":["7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2021-22947.json","vanir_signatures_modified":"2026-04-25T20:30:23Z","vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68","digest":{"line_hashes":["15818244023743251246121180721613206346","264290710822608942509023658064866501305","95783402388535053559558371031158626211"],"threshold":0.9},"target":{"file":"lib/pop3.c"},"signature_version":"v1","id":"CURL-CVE-2021-22947-07f97260","signature_type":"Line","deprecated":false},{"source":"https://github.com/curl/curl.git/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68","digest":{"length":367,"function_hash":"156157676711957825618151761474403827986"},"target":{"file":"lib/pop3.c","function":"pop3_state_starttls_resp"},"signature_version":"v1","id":"CURL-CVE-2021-22947-23d78c76","signature_type":"Function","deprecated":false},{"source":"https://github.com/curl/curl.git/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68","digest":{"length":7667,"function_hash":"291176038097903092958094423929849484254"},"target":{"file":"lib/ftp.c","function":"ftp_statemachine"},"signature_version":"v1","id":"CURL-CVE-2021-22947-3c3847ac","signature_type":"Function","deprecated":false},{"source":"https://github.com/curl/curl.git/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68","digest":{"line_hashes":["275891366952409740695405504607708273167","50810222595671691486450676832916381219","182085566426483708655092022698556933392"],"threshold":0.9},"target":{"file":"lib/ftp.c"},"signature_version":"v1","id":"CURL-CVE-2021-22947-6d773650","signature_type":"Line","deprecated":false},{"source":"https://github.com/curl/curl.git/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68","digest":{"length":385,"function_hash":"30512939116690604190976008921301940171"},"target":{"file":"lib/imap.c","function":"imap_state_starttls_resp"},"signature_version":"v1","id":"CURL-CVE-2021-22947-8699633b","signature_type":"Function","deprecated":false},{"source":"https://github.com/curl/curl.git/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68","digest":{"line_hashes":["305664085898564189657251232396021201167","247572126397743259643449771531197290285","121358273080854664279798422557849661627"],"threshold":0.9},"target":{"file":"lib/imap.c"},"signature_version":"v1","id":"CURL-CVE-2021-22947-d3bb20e0","signature_type":"Line","deprecated":false},{"source":"https://github.com/curl/curl.git/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68","digest":{"line_hashes":["293265480734767209467846975422452335043","185199186730252040051498636918179049257","282554681587412631875650047085615870639"],"threshold":0.9},"target":{"file":"lib/smtp.c"},"signature_version":"v1","id":"CURL-CVE-2021-22947-de4c6649","signature_type":"Line","deprecated":false},{"source":"https://github.com/curl/curl.git/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68","digest":{"length":352,"function_hash":"69401027868289425349400319993836981190"},"target":{"file":"lib/smtp.c","function":"smtp_state_starttls_resp"},"signature_version":"v1","id":"CURL-CVE-2021-22947-ee9fdf72","signature_type":"Function","deprecated":false}]}}],"schema_version":"1.7.5","credits":[{"name":"Patrick Monnerat","type":"FINDER"},{"name":"Patrick Monnerat","type":"REMEDIATION_DEVELOPER"}]}