| Summary | curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly. |
|---|---|
| Publication Date | June 12, 2021, 1:15 a.m. |
| Registration Date | June 12, 2021, 2:01 p.m. |
| Last Update | Nov. 21, 2024, 2:50 p.m. |
| CVSS3.1 : MEDIUM | |
| スコア | 5.3 |
|---|---|
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 攻撃元区分(AV) | ネットワーク |
| 攻撃条件の複雑さ(AC) | 低 |
| 攻撃に必要な特権レベル(PR) | 不要 |
| 利用者の関与(UI) | 不要 |
| 影響の想定範囲(S) | 変更なし |
| 機密性への影響(C) | 低 |
| 完全性への影響(I) | なし |
| 可用性への影響(A) | なし |
| CVSS2.0 : MEDIUM | |
| Score | 4.3 |
|---|---|
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| 攻撃元区分(AV) | ネットワーク |
| 攻撃条件の複雑さ(AC) | 中 |
| 攻撃前の認証要否(Au) | 不要 |
| 機密性への影響(C) | 低 |
| 完全性への影響(I) | なし |
| 可用性への影響(A) | なし |
| Get all privileges. | いいえ |
| Get user privileges | いいえ |
| Get other privileges | いいえ |
| User operation required | いいえ |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | 7.61.0 | 7.76.1 | |||
| Configuration2 | or higher | or less | more than | less than | |
| cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* | 8.0.0 | 8.0.25 | |||
| cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:* | 21.0 | 21.3 | |||
| cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:* | 11.1.2.4.047 | ||||
| cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* | 5.7.34 | ||||
| cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:* | |||||
| Configuration3 | or higher | or less | more than | less than | |
| cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:* | |||||
| cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:* | |||||
| Configuration4 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:* | ||||
| Configuration5 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:* | ||||
| Configuration6 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* | ||||
| Configuration7 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* | ||||
| Configuration8 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:* | ||||
| Configuration9 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* | ||||
| Configuration10 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:* | ||||
| Configuration11 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* | ||||
| Configuration12 | or higher | or less | more than | less than | |
| cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* | 1.0.1.1 | ||||
| Configuration13 | or higher | or less | more than | less than | |
| cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* | 9.0.0 | 9.0.6 | |||
| cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* | 8.2.0 | 8.2.12 | |||
| Title | curl における誤った領域へのリソースの漏えいに関する脆弱性 |
|---|---|
| Summary | curl には、誤った領域へのリソースの漏えいに関する脆弱性が存在します。 |
| Possible impacts | 情報を取得される可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | May 24, 2021, midnight |
| Registration Date | March 7, 2022, 11:20 a.m. |
| Last Update | March 7, 2022, 11:20 a.m. |
| オラクル |
| MySQL |
| Oracle Essbase Server |
| Haxx |
| cURL 7.61.0 から 7.76.1 |
| NetApp |
| H300E ファームウェア |
| H300S ファームウェア |
| NetApp Cloud Backup |
| NetApp HCI Compute Node ファームウェア |
| NetApp SolidFire & HCI Management Node |
| NetApp SolidFire Enterprise SDS & HCI Storage Node |
| Solidfire Baseboard Management Controller |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2022年03月07日] 掲載 |
March 7, 2022, 11:20 a.m. |