CVE-2021-22945

Опубликовано: 15 сент. 2021

Источник: redhat

CVSS3: 9.1

EPSS Низкий

Описание

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again.

A flaw was found in libcurl. When sending data to an MQTT server could in some situations lead to libcurl using already freed memory and then try to free it again. The highest threat from this vulnerability is to data confidentiality as well as system availability.

Отчет

The MQTT feature is not enabled by default in any of the curl version that Red Hat ships

Затронутые пакеты

Платформа	Пакет	Состояние
.NET Core 2.1 on Red Hat Enterprise Linux	rh-dotnet21-curl	Out of support scope
.NET Core 3.1 on Red Hat Enterprise Linux	rh-dotnet31-curl	Not affected
Red Hat Ceph Storage 2	curl	Out of support scope
Red Hat Enterprise Linux 6	curl	Not affected
Red Hat Enterprise Linux 7	curl	Not affected
Red Hat Enterprise Linux 8	curl	Not affected
Red Hat Enterprise Linux 9	curl	Not affected
Red Hat JBoss Core Services	curl	Not affected
Red Hat Software Collections	httpd24-curl	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-416

https://bugzilla.redhat.com/show_bug.cgi?id=2001527curl: use-after-free and double-free in MQTT sending

EPSS

Процентиль: 68%

0.00574

Низкий

9.1 Critical

CVSS3

Связанные уязвимости

CVE-2021-22945

CVSS3: 9.1

ubuntu

больше 3 лет назад

CVE-2021-22945

CVSS3: 9.1

nvd

больше 3 лет назад

CVE-2021-22945

CVSS3: 9.1

msrc

больше 3 лет назад

Описание отсутствует

CVE-2021-22945

CVSS3: 9.1

debian

больше 3 лет назад

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 coul ...

GHSA-22mx-9r92-42g8

CVSS3: 9.1

github

около 3 лет назад

EPSS

Процентиль: 68%

0.00574

Низкий

9.1 Critical

CVSS3