CVE-2021-22898: Infoleak

Published May 26, 2021
·
Updated

A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol.

Other sources

A vulnerability was found in curl where, due to flaw in the option parser for sending NEWENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.

Red Hat

curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPTTELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEWENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEWENV variables. By sending a specially-crafted request using a clear-text network protocol, an attacker could exploit this vulnerability to obtain sensitive internal information to the server, and use this information to launch further attacks against the affected system.

IBM

Affected Software

25 affected componentsFixes available
redhat/curl<0:7.61.1-22.el8
0:7.61.1-22.el8
debian/curl<=7.64.0-4+deb10u2
7.64.0-4+deb10u77.74.0-1.3+deb11u97.74.0-1.3+deb11u107.88.1-10+deb12u37.88.1-10+deb12u48.4.0-2
debian/curl<=7.74.0-1.2, <=7.64.0-4, <=7.64.0-4+deb10u2, <=7.64.0-4+deb10u1
redhat/curl<7.77.0
7.77.0
IBM QRadar SIEM<=7.5.0 GA
IBM QRadar SIEM<=7.4.3 GA - 7.4.3 FP4
IBM QRadar SIEM<=7.3.3 GA - 7.3.3 FP10
haxx curl>=7.7<=7.76.1
Debian Debian Linux=9.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Oracle Communications Cloud Native Core Binding Support Function=1.11.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment=1.10.0
Oracle Communications Cloud Native Core Network Repository Function=1.15.0
Oracle Communications Cloud Native Core Network Repository Function=1.15.1
Oracle Communications Cloud Native Core Network Slice Selection Function=1.8.0
Oracle Communications Cloud Native Core Service Communication Proxy=1.15.0
Oracle Essbase<11.1.2.4.047
Oracle Essbase>=21.0<21.3
Oracle MySQL Server<5.7.34
Oracle MySQL Server>=8.0.15<8.0.25
Siemens Sinec Infrastructure Network Services<1.0.1.1
Splunk Universal Forwarder>=8.2.0<8.2.12
Splunk Universal Forwarder>=9.0.0<9.0.6
Splunk Universal Forwarder=9.1.0

Remediation

Patch Available

http://www.openwall.com/lists/oss-security/2021/07/21/4

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch Available

https://curl.se/docs/CVE-2021-22898.html

Patch Available

https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde

Patch Available

https://hackerone.com/reports/1176461

Patch Available

https://www.oracle.com//security-alerts/cpujul2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Information

This issue can be avoided by not setting any telnet options for the curl command line tool (using the -t / --telnet-option command line option) or the libcurl library (using the CURLOPT_TELNETOPTIONS option) when telnet protocol is not meant to be used. If telnet protocol needs to be used with curl / libcurl, along with the NEW_ENV telnet option, ensure that no environment variable set via the NEW_ENV option has the name or value longer than 127 bytes.

Event History

May 26, 2021
CVE Published
12:00 AM
Jun 11, 2021
CVE Published
via MITRE·03:49 PM
Data Sourced
via MITRE·03:49 PM
DescriptionWeakness
Data Sourced
via NVD·04:15 PM
RemedyDescriptionSeverityWeaknessAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-22898?

CVE-2021-22898 is a vulnerability in the curl library that allows for information disclosure when using the `-t` command line option.

2

What is the severity of CVE-2021-22898?

CVE-2021-22898 has a severity rating of 7.5 (high).

3

Which software versions are affected by CVE-2021-22898?

CVE-2021-22898 affects curl versions 7.7 through 7.76.1.

4

How can I fix CVE-2021-22898?

To fix CVE-2021-22898, update curl to version 7.88.1-11 or higher.

5

Is there any additional information available for CVE-2021-22898?

Yes, you can find additional information about CVE-2021-22898 in the references provided.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203