CVE-2021-22922

Description

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

References

• https://security.archlinux.org/ASA-202107-59
• https://security-tracker.debian.org/tracker/CVE-2021-22922
• https://www.suse.com/security/cve/CVE-2021-22922.html
• https://errata.rockylinux.org/RLSA-2021:3582
• https://access.redhat.com/errata/RHSA-2021:3582