Search for vulnerabilities
Vulnerability details: VCID-12hn-k727-m7f7
Vulnerability ID VCID-12hn-k727-m7f7
Aliases CVE-2021-22922
Summary When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-20 Improper Input Validation
CWE-755 Improper Handling of Exceptional Conditions
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22922.json
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.00372 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.00372 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
epss 0.00372 https://api.first.org/data/v1/epss?cve=CVE-2021-22922
cvssv3.1 Medium https://curl.se/docs/CVE-2021-22922.html
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2021-22922
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-22922
archlinux Medium https://security.archlinux.org/AVG-2194
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22922.json
https://api.first.org/data/v1/epss?cve=CVE-2021-22922
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://curl.se/docs/CVE-2021-22922.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22922
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/1213175
https://www.oracle.com/security-alerts/cpuoct2021.html
1981435 https://bugzilla.redhat.com/show_bug.cgi?id=1981435
ASA-202107-59 https://security.archlinux.org/ASA-202107-59
AVG-2194 https://security.archlinux.org/AVG-2194
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
CVE-2021-22922 https://nvd.nist.gov/vuln/detail/CVE-2021-22922
RHSA-2021:3582 https://access.redhat.com/errata/RHSA-2021:3582
RHSA-2021:3903 https://access.redhat.com/errata/RHSA-2021:3903
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22922.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-22922
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-22922
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.43633
EPSS Score 0.0021
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:42:20.351653+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.21/main.json 37.0.0