Wind River Support Network

HomeDefectsLIN1021-947
Fixed

LIN1021-947 : Security Advisory - curl - CVE-2021-22925

Created: Jul 21, 2021    Updated: Aug 24, 2021
Resolved Date: Aug 23, 2021
Found In Version: 10.21.20.1
Fix Version: 10.21.20.4
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Userspace

Description

curl supports the '-t' command line option, known as 'CURLOPT_TELNETOPTIONS'in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending 'NEW_ENV' variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.

https://nvd.nist.gov/vuln/detail/CVE-2021-22925

CVEs


Live chat
Online