How severe is CVE-2021-22947?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2021-22947?

This is classified as CWE-310, which is a common weakness in software security.

CVE-2021-22947

MEDIUM Year: 2021

CVSS v3 Score

5.9

Medium

CVSS v2 Score

4.3

Medium

Weakness Type

CWE-310

View all →

Vulnerability Description

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

CVE-2011-4667

MEDIUM

CVSS:5.9(Medium)

The encryption library in Cisco IOS Software 15.2(1)T, 15.2(1)T1, and 15.2(2)T, Cisco NX-OS in Cisco MDS 9222i Multiservice Modular Switch, Cisco MDS 9000 18/4-Port Multiservice Module, and Cisco MDS ...

CWE-3102011

CVE-2012-6702

MEDIUM

CVSS:5.9(Medium)

Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors inv...

CWE-3102012

CVE-2013-6673

MEDIUM

CVSS:5.9(Medium)

Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 do not recognize a user's removal of trust from an EV X.509 certificate, which makes it ea...

CWE-3102013

CVE-2014-2903

MEDIUM

CVSS:5.9(Medium)

CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake.

CWE-3102014

CVE-2014-8878

MEDIUM

CVSS:5.9(Medium)

KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network.

CWE-3102014

CVE-2015-7256

MEDIUM

CVSS:5.9(Medium)

ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A, VMG1312-B30A, VMG1312-B30B, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, VMG8924-B...

CWE-3102015

CVE-2021-22947

Vulnerability Description

Related Vulnerabilities

CVE-2011-4667

CVE-2012-6702

CVE-2013-6673

CVE-2014-2903

CVE-2014-8878

CVE-2015-7256