CVE-2021-22901

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-22901
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22901.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-22901
Aliases
Downstream
Related
Published
2021-06-11T16:15:11.120Z
Modified
2026-05-16T04:03:02.977860489Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.

Database specific 
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "1.11.0"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_cloud_native_core_binding_support_function"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "1.10.0"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_cloud_native_core_network_function_cloud_native_environment"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "1.15.0"
                },
                {
                    "last_affected": "1.15.1"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_cloud_native_core_network_repository_function"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "1.8.0"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_cloud_native_core_network_slice_selection_function"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "1.15.0"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_cloud_native_core_service_communication_proxy"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "fixed": "11.1.2.4.047"
                },
                {
                    "introduced": "21.0"
                },
                {
                    "fixed": "21.3"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "oracle:essbase"
        },
        {
            "cpes": [
                "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "fixed": "1.0.1.1"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "siemens:sinec_infrastructure_network_services"
        },
        {
            "cpes": [
                "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*",
                "cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "8.2.0"
                },
                {
                    "fixed": "8.2.12"
                },
                {
                    "introduced": "9.0.0"
                },
                {
                    "fixed": "9.0.6"
                },
                {
                    "last_affected": "9.1.0"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "splunk:universal_forwarder"
        }
    ]
}
References

Affected packages