QwikSec

Security Database

CVE

CWE

Training

CVE-2021-22946

Published: Sep 29, 2021

Modified: Apr 16, 2026

PUBLISHED

Description

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Vendor	Product	Versions
n/a	https://github.com/curl/curl	affected `curl 7.20.0 to and including 7.78.0`

Weaknesses (CWE)

References

https://hackerone.com/reports/1334111

[debian-lts-announce] 20210930 [SECURITY] [DLA 2773-1] curl security update

mailing-list

FEDORA-2021-fc96a3a749

vendor-advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

FEDORA-2021-1d24845e93

vendor-advisory

https://www.oracle.com/security-alerts/cpujan2022.html

https://security.netapp.com/advisory/ntap-20211029-0003/

https://security.netapp.com/advisory/ntap-20220121-0008/

20220314 APPLE-SA-2022-03-14-4 macOS Monterey 12.3

mailing-list

https://www.oracle.com/security-alerts/cpuapr2022.html

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

https://support.apple.com/kb/HT213183

https://www.oracle.com/security-alerts/cpujul2022.html

vendor-advisory

[debian-lts-announce] 20220828 [SECURITY] [DLA 3085-1] curl security update

mailing-list

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.