curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Microsoft on CVE-2021-22947

From: Zakrzewski, Jakub via curl-library <>
Date: Wed, 12 Jan 2022 16:42:31 +0000

> It isn't directly a RCE, but it seems like that might be a possibility -- say some process
> was using FTP/STARTTLS to download a script to run. If a MITM can interject content
> as the top of that script, that could be unpleasant.

Sorry but with that logic almost everything becomes an RCE.
It's not an RCE unless it can directly be used to run code. Changing script content
(however dangerous) is not causing it to run (and for sure not by curl itself).

Received on 2022-01-12