{ "document": { "aggregate_severity": { "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/rhel7els/vex/2021/cve-2021-22924-els_os-rhel7els.json" } ], "tracking": { "current_release_date": "2026-06-13T02:53:51Z", "generator": { "date": "2026-06-13T02:53:51Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2021-22924-ELS_OS-RHEL7ELS", "initial_release_date": "2021-08-05T21:15:00Z", "revision_history": [ { "date": "2021-08-05T21:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-13T02:53:51Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2021-22924" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 7", "product": { "name": "Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7", "product_identification_helper": { "cpe": "cpe:2.3:o:redhat:enterprise_linux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/curl@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/libcurl@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/libcurl-devel@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/libcurl@7.29.0-59.0.3.el7_9.2?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/libcurl-devel@7.29.0-59.0.3.el7_9.2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/curl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "relates_to_product_reference": "Red-Hat-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-22924", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2021-22924" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf" }, { "category": "external", "summary": "https://hackerone.com/reports/1223565", "url": "https://hackerone.com/reports/1223565" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20210902-0003/", "url": "https://security.netapp.com/advisory/ntap-20210902-0003/" }, { "category": "external", "summary": "https://www.debian.org/security/2022/dsa-5197", "url": "https://www.debian.org/security/2022/dsa-5197" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2022.html", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuoct2021.html", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "release_date": "2021-08-05T21:15:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-12T13:07:13.613213Z", "details": "CVE-2021-22924 only manifests when a process reuses a pooled TLS connection after changing certificate-verification settings between transfers—specifically using the non-default issuer-cert option or cert/CA file paths that differ only by letter case—conditions not present in libcurl’s defaults. Even if hit, reuse is still restricted to the same host/port/protocol and the effect is limited to a low confidentiality risk (no integrity, availability, code-execution, or privilege-escalation impact). Given the high exploitation complexity and these narrow, non-default preconditions, this is a low‑priority issue for centrally managed Linux servers and VMs.", "product_ids": [ "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }