Updated: 2023-03-10 12:28:07.061403
Description:
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 5 |
| CVSS Version 3.x | MEDIUM | 5.3 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
|---|---|---|---|---|---|---|---|
| CentOS 6 ELS | curl | 7.19.7 | 5.3 | MEDIUM | Released | CLSA-2021:1632261944 | 2022-05-05 12:01:07 |
| CentOS 6 ELS | mysql | 5.1.73 | 5.3 | MEDIUM | Ignored | 2022-07-18 11:44:12 | |
| CentOS 8.4 ELS | curl | 7.61.1 | 5.3 | MEDIUM | Released | CLSA-2022:1643198583 | 2022-03-10 14:51:08 |
| CentOS 8.4 ELS | mysql | 8.0.26 | 5.3 | MEDIUM | Not Vulnerable | 2022-03-10 14:51:23 | |
| CentOS 8.5 ELS | curl | 7.61.1 | 5.3 | MEDIUM | Not Vulnerable | 2022-03-10 14:51:08 | |
| CentOS 8.5 ELS | mysql | 8.0.26 | 5.3 | MEDIUM | Not Vulnerable | 2022-03-10 14:51:23 | |
| CloudLinux 6 ELS | mysql | 5.1.73 | 5.3 | MEDIUM | Ignored | 2022-07-18 11:44:12 | |
| CloudLinux 6 ELS | curl | 7.19.7 | 5.3 | MEDIUM | Released | 2022-03-10 14:51:08 | |
| Oracle Linux 6 ELS | mysql | 5.1.73 | 5.3 | MEDIUM | Ignored | 2022-07-18 11:44:12 | |
| Oracle Linux 6 ELS | curl | 7.19.7 | 5.3 | MEDIUM | Released | CLSA-2021:1634922517 | 2022-03-10 14:51:08 |