A user can tell curl to **require** a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or
`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` with libcurl). This requirement can be bypassed. This flaw would then make curl silently continue its operations **without TLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
Created curl tracking bugs for this issue:
Affects: fedora-all [bug 2004927]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:4059 https://access.redhat.com/errata/RHSA-2021:4059
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):