CVE-2021-22923

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.77.0

Description The issue is related to insufficient protection of registration data, allowing a remote attacker to access confidential data. When curl is instructed to get content using the metalink feature and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from, often contrary to the user's expectations and intentions and without telling the user it happened.

Recommendations For versions prior to 7.77.0, update to version 7.77.0 or later to resolve the issue. As a temporary workaround, consider disabling the metalink feature until a patch is available. Avoid using the username and password variables in the affected API endpoint until the issue is resolved. Restrict access to the metalink XML file to minimize the risk of exploitation.