Bug 2003175 (CVE-2021-22946) - CVE-2021-22946 curl: Requirement to use TLS not properly enforced for IMAP, POP3, and FTP protocols
Summary: CVE-2021-22946 curl: Requirement to use TLS not properly enforced for IMAP, P...
Alias: CVE-2021-22946
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2003663 2003664 2003665 2003725 2003727 2003728 2004649 2003661 2003662 2003726 2004927
Blocks: 2001529
TreeView+ depends on / blocked
Reported: 2021-09-10 14:11 UTC by Marian Rehak
Modified: 2021-11-02 14:08 UTC (History)
42 users (show)

Fixed In Version: curl 7.79.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in curl. This flaw lies in the --ssl-reqd option or related settings in libcurl. Users specify this flag to upgrade to TLS when communicating with either IMAP, POP3 or a FTP server. An attacker controlling such servers could return a crafted response which could lead to curl client continue its operation without TLS encryption leading to data being transmitted in clear text over the network. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Last Closed: 2021-11-02 14:08:19 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4059 0 None None None 2021-11-02 08:43:48 UTC

Description Marian Rehak 2021-09-10 14:11:33 UTC
A user can tell curl to **require** a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or
`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` with libcurl). This requirement can be bypassed. This flaw would then make curl silently continue its operations **without TLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Upstream Advisory:


Comment 6 gkamathe 2021-09-16 13:04:10 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2004927]

Comment 7 errata-xmlrpc 2021-11-02 08:43:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4059 https://access.redhat.com/errata/RHSA-2021:4059

Comment 8 Product Security DevOps Team 2021-11-02 14:08:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.