vulnerability
Amazon Linux AMI 2: CVE-2021-22924: Security patch for curl (ALAS-2021-1700)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:P/I:N/A:N) | Aug 5, 2021 | Sep 16, 2021 | Nov 26, 2024 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Published
Aug 5, 2021
Added
Sep 16, 2021
Modified
Nov 26, 2024
Description
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
Solutions
amazon-linux-ami-2-upgrade-curlamazon-linux-ami-2-upgrade-curl-debuginfoamazon-linux-ami-2-upgrade-libcurlamazon-linux-ami-2-upgrade-libcurl-devel
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.