CVE-2021-22926
https://notcve.org/view.php?id=CVE-2021-22926
libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake. Las aplicaciones que usan libcurl pueden pedir un certificado de cliente específico para ser usado en una transferencia. Esto se hace con la opción "CURLOPT_SSLCERT" ("--cert" con la herramienta de línea de comandos).Cuando libcurl se construye para usar la biblioteca TLS nativa de macOS Transporte Seguro, una aplicación puede pedir el certificado del cliente por su nombre o con un nombre de archivo - usando la misma opción. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1234760 https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cuser • CWE-295: Improper Certificate Validation CWE-840: Business Logic Errors •
CVE-2021-22922 – curl: Content not matching hash in Metalink is not being discarded
https://notcve.org/view.php?id=CVE-2021-22922
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. Cuando es instruido a curl descargar un contenido usando la funcionalidad metalink, el contenido es comprobado con un hash proporcionado en el archivo XML metalink. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1213175 https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cuser • CWE-20: Improper Input Validation CWE-755: Improper Handling of Exceptional Conditions CWE-840: Business Logic Errors •
CVE-2021-22923 – curl: Metalink download sends credentials
https://notcve.org/view.php?id=CVE-2021-22923
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. Cuando es instruido a curl de obtener contenidos usando la funcionalidad metalink, y se usan un nombre de usuario y una contraseña para descargar el archivo XML metalink, esas mismas credenciales se pasan subsecuentemente a cada uno de los servidores de los que curl descargará o intentará descargar los contenidos. A menudo, en contra de las expectativas e intenciones del usuario y sin avisarle de lo sucedido A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to gain access to credentials provided while downloading content without the user's knowledge. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1213181 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V https://security.gentoo.org/glsa/202212-01 https://security.netapp.com/advisory/ntap-20210902-0003 https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-22923 https://bugzilla.redhat.com/show_bug.cgi?id=1981438 • CWE-319: Cleartext Transmission of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVE-2021-32804 – Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
https://notcve.org/view.php?id=CVE-2021-32804
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. • https://github.com/yamory/CVE-2021-32804 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 https://www.npmjs.com/advisories/1770 https://www.npmjs.com/package/tar https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-32804 https://bugzilla.redhat.com/show_bug.cgi?id=1990409 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-32803 – Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
https://notcve.org/view.php?id=CVE-2021-32803
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20 https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw https://www.npmjs.com/advisories/1771 https://www.npmjs.com/package/tar https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-32803 https://bugzilla.redhat.com/show_bug.cgi?id=1990415 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •