CVE-2021-22946

Name of the Vulnerable Software and Affected Versions curl versions 7.20.0 through 7.78.0

Description The issue allows an attacker to bypass the requirement for a successful upgrade to TLS when speaking to an IMAP, POP3, or FTP server. This can be achieved if the server returns a properly crafted but perfectly legitimate response. As a result, curl may silently continue its operations without TLS, contrary to the instructions and expectations, potentially exposing sensitive data in clear text over the network. The vulnerability can be exploited by a remote attacker to conduct man-in-the-middle attacks.

Recommendations For curl versions 7.20.0 through 7.78.0, update to version 7.79.1 or later to resolve the issue. As a temporary workaround, consider disabling the --ssl-reqd option or the CURLOPT USE SSL configuration until a patch is available. Restrict access to the vulnerable libcurl component to minimize the risk of exploitation. Avoid using the CURLOPT USE SSL option with CURLUSESSL CONTROL or CURLUSESSL ALL settings until the issue is resolved.