When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. Upstream Advisory: https://github.com/curl/curl/commit/ec3bb8f727405
Created curl tracking bugs for this issue: Affects: fedora-all [bug 2004363]
Upstream advisory: https://curl.se/docs/CVE-2021-22947.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4059 https://access.redhat.com/errata/RHSA-2021:4059
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22947
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0635 https://access.redhat.com/errata/RHSA-2022:0635
This issue has been addressed in the following products: .NET Core on Red Hat Enterprise Linux Via RHSA-2022:1354 https://access.redhat.com/errata/RHSA-2022:1354