curl / Docs / Vulnerability table / 7.77.0 vulnerabilities

Vulnerabilities in curl 7.77.0

curl version 7.77.0 was released on May 26 2021. The following 8 security problems are known to exist in this version.

FlawFrom versionTo and includingCVECWE
STARTTLS protocol injection via MITM7.20.07.78.0CVE-2021-22947CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed7.20.07.78.0CVE-2021-22946CWE-325: Missing Cryptographic Step
UAF and double-free in MQTT sending7.73.07.78.0CVE-2021-22945CWE-415: Double Free
CURLOPT_SSLCERT mixup with Secure Transport7.33.07.77.0CVE-2021-22926CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again7.77.77.0CVE-2021-22925CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks7.10.47.77.0CVE-2021-22924CWE-295: Improper Certificate Validation
Metalink download sends credentials7.27.07.77.0CVE-2021-22923CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded7.27.07.77.0CVE-2021-22922CWE-20: Improper Input Validation

Changelog for curl 7.77.0

See vulnerability summary for the previous release: 7.76.1 or the subsequent release: 7.78.0