Insufficiently Protected Credentials

Affecting curl package, versions <7.78.0-r0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Alpine:3.12 relevant versions.

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

Remediation

Upgrade Alpine:3.12 curl to version 7.78.0-r0 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE
CVE-2021-22923
CWE
CWE-522
Snyk ID
SNYK-ALPINE312-CURL-1533449
Disclosed
05 Aug, 2021
Published
26 Jul, 2021