Bug 2003191 (CVE-2021-22947) - CVE-2021-22947 curl: Server responses received before STARTTLS processed after TLS handshake
Summary: CVE-2021-22947 curl: Server responses received before STARTTLS processed afte...
Alias: CVE-2021-22947
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2003736 2003686 2003687 2003688 2003689 2003690 2003733 2003734 2003735 2004363 2004650 2038280
Blocks: 2001529
TreeView+ depends on / blocked
Reported: 2021-09-10 14:39 UTC by Marian Rehak
Modified: 2022-05-17 09:41 UTC (History)
45 users (show)

Fixed In Version: curl 7.79.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in curl. The flaw lies in how curl handles cached or pipelined responses that it receives from either a IMAP, POP3, SMTP or FTP server before the TLS upgrade using STARTTLS. In such a scenario curl even after upgrading to TLS would trust these cached responses treating them as valid and authenticated and use them. An attacker could potentially use this flaw to carry out a Man-In-The-Middle attack. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Last Closed: 2021-11-02 14:08:24 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4059 0 None None None 2021-11-02 08:43:53 UTC
Red Hat Product Errata RHSA-2022:0635 0 None None None 2022-02-22 15:54:35 UTC
Red Hat Product Errata RHSA-2022:1354 0 None None None 2022-04-13 14:29:24 UTC

Description Marian Rehak 2021-09-10 14:39:26 UTC
When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Using this flaw, it allows a Man-In-The-Middle attacker to first inject the
fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

Upstream Advisory:


Comment 4 gkamathe 2021-09-15 06:35:20 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2004363]

Comment 6 Tomas Hoger 2021-10-07 09:04:03 UTC
Upstream advisory:


Comment 7 errata-xmlrpc 2021-11-02 08:43:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4059 https://access.redhat.com/errata/RHSA-2021:4059

Comment 8 Product Security DevOps Team 2021-11-02 14:08:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 16 errata-xmlrpc 2022-02-22 15:54:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0635 https://access.redhat.com/errata/RHSA-2022:0635

Comment 17 errata-xmlrpc 2022-04-13 14:29:21 UTC
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:1354 https://access.redhat.com/errata/RHSA-2022:1354

Note You need to log in before you can comment on or make changes to this bug.