CVE-2021-3716

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-3716
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3716.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-3716
Downstream
Related
Published
2022-03-02T23:15:09Z
Modified
2025-09-16T07:17:18.323296Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBDOPTSTRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.

References

Affected packages

Debian:11 / nbdkit

Package

Name
nbdkit
Purl
pkg:deb/debian/nbdkit?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.24.1-2
1.26.3-1
1.26.5-1
1.26.6-1
1.26.6-2
1.28.3-1
1.28.3-2
1.28.4-1
1.28.5-1
1.30.0-1
1.30.2-1
1.30.3-1
1.30.4-1
1.30.6-1
1.30.7-1
1.30.8-1
1.30.9-1
1.32.2-1
1.32.2-2
1.32.2-3
1.32.3-1
1.32.4-1
1.32.5-1
1.34.0-1
1.34.1-1
1.34.2-1
1.34.2-2
1.34.2-3
1.34.2-4
1.34.2-5
1.34.2-6
1.34.2-7
1.34.2-8
1.34.2-9
1.34.2-10
1.34.3-1
1.34.4-1
1.36.0-1
1.36.1-1
1.36.2-1
1.36.3-1
1.38.0-1
1.38.1-1
1.38.2-1
1.38.2-2
1.38.3-1
1.40.0-1
1.40.2-1
1.40.2-2
1.40.3-1
1.40.4-1
1.40.4-2
1.40.4-3
1.40.4-4
1.40.4-5
1.40.4-6
1.40.4-7
1.40.4-8
1.40.4-9
1.40.4-10
1.40.4-11
1.40.5-1
1.42.0-1
1.42.1-1
1.42.2-1
1.42.3-1
1.42.4-1
1.42.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / nbdkit

Package

Name
nbdkit
Purl
pkg:deb/debian/nbdkit?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / nbdkit

Package

Name
nbdkit
Purl
pkg:deb/debian/nbdkit?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / nbdkit

Package

Name
nbdkit
Purl
pkg:deb/debian/nbdkit?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / gitlab.com/nbdkit/nbdkit

Affected ranges

Type
GIT
Repo
https://gitlab.com/nbdkit/nbdkit
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
09a13dafb7bb3a38ab52eb5501cba786365ba7fd
Fixed
6c5faac6a37077cf2366388a80862bb00616d0d8

Affected versions

1.*

1.1.11

v0.*

v0.1.0

v1.*

v1.0.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.18
v1.1.19
v1.1.2
v1.1.20
v1.1.21
v1.1.22
v1.1.23
v1.1.24
v1.1.25
v1.1.26
v1.1.27
v1.1.28
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.10.0
v1.11.1
v1.11.10
v1.11.11
v1.11.12
v1.11.13
v1.11.14
v1.11.15
v1.11.2
v1.11.3
v1.11.4
v1.11.5
v1.11.6
v1.11.7
v1.11.8
v1.11.9
v1.12.0
v1.13.0
v1.13.1
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.13.7
v1.13.8
v1.13.9
v1.14.0
v1.15.1
v1.15.2
v1.15.3
v1.15.4
v1.15.5
v1.15.6
v1.15.7
v1.15.8
v1.16.0
v1.17.1
v1.17.10
v1.17.11
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.17.7
v1.17.8
v1.17.9
v1.18.0
v1.19.1
v1.19.10
v1.19.11
v1.19.12
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.19.6
v1.19.7
v1.19.8
v1.19.9
v1.20.0
v1.21.1
v1.21.10
v1.21.11
v1.21.12
v1.21.13
v1.21.14
v1.21.15
v1.21.16
v1.21.17
v1.21.18
v1.21.19
v1.21.2
v1.21.20
v1.21.21
v1.21.22
v1.21.23
v1.21.24
v1.21.25
v1.21.26
v1.21.3
v1.21.4
v1.21.5
v1.21.6
v1.21.7
v1.21.8
v1.21.9
v1.23.1
v1.23.10
v1.23.11
v1.23.12
v1.23.13
v1.23.2
v1.23.3
v1.23.4
v1.23.5
v1.23.6
v1.23.7
v1.23.8
v1.23.9
v1.24.0
v1.25.1
v1.25.2
v1.25.3
v1.25.4
v1.25.5
v1.25.6
v1.25.7
v1.25.8
v1.25.9
v1.26.0
v1.27.1
v1.27.2
v1.27.3
v1.27.4
v1.27.5
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.4.0
v1.5.0
v1.5.1
v1.5.10
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.7.0
v1.7.1
v1.7.10
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.9.0
v1.9.1
v1.9.10
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "line_hashes": [
                    "17736055569549823576078601167558441071",
                    "252569956524523289579052347941166243611",
                    "297470718666234456831894338929195417055"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "id": "CVE-2021-3716-07c259cd",
            "source": "https://gitlab.com/nbdkit/nbdkit@09a13dafb7bb3a38ab52eb5501cba786365ba7fd",
            "target": {
                "file": "server/protocol-handshake-newstyle.c"
            }
        },
        {
            "digest": {
                "function_hash": "278656485481587851966178619826305884851",
                "length": 9714.0
            },
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Function",
            "id": "CVE-2021-3716-72881b3f",
            "source": "https://gitlab.com/nbdkit/nbdkit@09a13dafb7bb3a38ab52eb5501cba786365ba7fd",
            "target": {
                "function": "negotiate_handshake_newstyle_options",
                "file": "server/protocol-handshake-newstyle.c"
            }
        }
    ]
}