Medium severity6.5NVD Advisory· Published Aug 5, 2021· Updated Apr 16, 2026

CVE-2021-22922

Description

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

Affected products

Haxx/Curl
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Range: >=7.27.0,<7.78.0
NetApp/Cloud Backup
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
NetApp/Clustered Data Ontap
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
NetApp/Hci Management Node
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
NetApp/Solidfire
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
Oracle Corporation/Mysql Server
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Range: >=5.7.0,<=5.7.35
Siemens Foundation/Sinec Infrastructure Network Services
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
Range: <1.0.1.1
Splunk/Universal Forwarder2 versions
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*range: >=8.2.0,<8.2.12
- cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
Fedoraproject/Fedora
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
NetApp/H300e Firmware
cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
NetApp/H300s Firmware
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
NetApp/H410s Firmware
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
NetApp/H500e Firmware
cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
NetApp/H500s Firmware
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
NetApp/H700e Firmware
cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
NetApp/H700s Firmware
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

Patches

bfbde883af33

https://github.com/curl/curlvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfnvdPatchThird Party Advisory
www.oracle.com/security-alerts/cpuoct2021.htmlnvdPatchThird Party Advisory
hackerone.com/reports/1213175nvdExploitIssue TrackingThird Party Advisory
lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3EnvdMailing ListThird Party Advisory
lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3EnvdMailing ListThird Party Advisory
lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3EnvdMailing ListThird Party Advisory
lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3EnvdMailing ListThird Party Advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/nvdMailing ListThird Party Advisory
security.gentoo.org/glsa/202212-01nvdThird Party Advisory
security.netapp.com/advisory/ntap-20210902-0003/nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000