vulnerability
Oracle Linux: CVE-2021-22923: ELSA-2021-3582: curl security update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:H/Au:N/C:P/I:N/A:N) | Jul 21, 2021 | Sep 22, 2021 | Dec 3, 2025 |
Severity
3
CVSS
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
Published
Jul 21, 2021
Added
Sep 22, 2021
Modified
Dec 3, 2025
Description
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to gain access to credentials provided while downloading content without the user's knowledge. The highest threat from this vulnerability is to confidentiality.
A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to gain access to credentials provided while downloading content without the user's knowledge. The highest threat from this vulnerability is to confidentiality.
Solutions
oracle-linux-upgrade-curloracle-linux-upgrade-libcurloracle-linux-upgrade-libcurl-develoracle-linux-upgrade-libcurl-minimal
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.