PT-2021-6777 · Curl+6 · Curl+6

Published

2021-07-21

·

Updated

2026-05-18

·

CVE-2021-22922

CVSS v2.0

7.1

High

VectorAV:N/AC:M/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions curl (affected versions not specified)
Description The issue is related to the metalink feature in curl, which allows downloading content from multiple URLs. When a server hosting the content is breached and the file is replaced with a modified payload, curl should detect the hash mismatch after a completed download and remove the contents. However, this does not happen, and the potentially malicious content is kept on disk. The metalink XML file provides a hash to verify the contents, but a hash mismatch is only mentioned in text, and the user may not notice the message.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-840CWE-20CWE-354CWE-755

Related Identifiers

ALT-PU-2021-2348
ALT-PU-2021-2856
ALT-PU-2021-2908
ALT-PU-2021-3241
ALT-PU-2021-3666
ALT-PU-2022-2171
ALT-PU-2023-1912
AZL-6361
BDU:2022-02169
CESA-2021_3582
CLEANSTART-2026-AY18527
CLEANSTART-2026-BW46578
CLEANSTART-2026-DI23929
CLEANSTART-2026-LQ42192
CLEANSTART-2026-OF85770
CVE-2021-22922
MGASA-2021-0384
OESA-2022-1506
OPENSUSE-SU-2021:1088-1
OPENSUSE-SU-2021:2439-1
OPENSUSE-SU-2021_1088-1
OPENSUSE-SU-2021_2439-1
OPENSUSE-SU-2024:10582-1
OPENSUSE-SU-2024:12116-1
RHSA-2021:3582
RHSA-2021:3903
RHSA-2021_3582
RLSA-2021:3582
SUSE-SU-2021:14768-1
SUSE-SU-2021:2425-1
SUSE-SU-2021:2439-1
SUSE-SU-2021:2440-1
SUSE-SU-2021:2462-1
SUSE-SU-2021_14768-1
SUSE-SU-2021_2425-1
SUSE-SU-2021_2439-1
SUSE-SU-2021_2440-1
SUSE-SU-2021_2462-1

Affected Products

Alt Linux
Centos
Debian
Red Hat
Rocky Linux
Suse
Curl