Download
Browse source Changelog tiny-curl
Documentation
Project   Bug Bounty FAQ   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Videos Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users IRC / chat Mailing lists Everything curl [book] Video presentations Report a bug Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Microsoft on CVE-2021-22947

From: John Hascall via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 12 Jan 2022 10:23:11 -0600

It isn't directly a RCE, but it seems like that might be a possibility --
say some process was using FTP/STARTTLS to download a script to run. If a
MITM can interject content as the top of that script, that could be
unpleasant.

John 

---
John Hascall
Senior Security Architect
Information Technology Services
Iowa State University
john_at_iastate.edu
On Wed, Jan 12, 2022 at 9:25 AM Patrick Monnerat via curl-library <
curl-library_at_lists.haxx.se> wrote:
>
> On 1/12/22 12:33, Daniel Stenberg via curl-library wrote:
> > Hi team,
> >
> > Just a FYI:
> >
> > Yesterday, Microsoft published information[1] and upgrade details for
> > fixing their version of curl in regards to the problem called
> > CVE-2021-22947 that we reported back in September 2021 [2].
> >
> > In their great wisdom, without asking us or reading our description,
> > they decided this is a "Remote Code Execution Vulnerability".
> >
> > I obviously disagree with that description.
>
> Me too !
>
> But it's really not the first time they do something wrong about
> security :-( What did you expect after all these years of erring ?...
>
> ;-)
>
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-library
> Etiquette:   https://curl.haxx.se/mail/etiquette.html
>



-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2022-01-12