CVE-2021-22923
Description
Curl's metalink feature passes user credentials from the metalink XML download to content servers without user awareness.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Curl's metalink feature passes user credentials from the metalink XML download to content servers without user awareness.
Vulnerability
When curl is instructed to download content using the metalink feature, and a username and password are used to retrieve the metalink XML file, those same credentials are automatically forwarded to every server from which curl attempts to download the actual file contents [1]. Affected versions include curl prior to the fix incorporated in Gentoo's GLSA 202212-01 [2].
Exploitation
An attacker needs to set up a metalink XML file that requires authentication to fetch, and also controls at least one content server that will receive the forwarded credentials [1]. No additional user interaction beyond the initial curl metalink download is required; the credential leakage happens transparently.
Impact
Credentials intended only for the metalink metadata server are exposed to third-party content servers, often against the user's expectations and without any notification [1]. This can lead to disclosure of authentication secrets to unauthorized parties.
Mitigation
Upgrade curl to version 7.86.0 or later as specified in the Gentoo GLSA advisory [2]. No workaround is available [2]. Systems using affected curl versions should apply the update as soon as possible.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
29- curl/curldescription
- osv-coords27 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/curl-mini&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/curl&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/curl&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/curl&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/curl-openssl1&distro=SUSE%20Linux%20Enterprise%20Server%2011-SECURITY
< 7.66.0-lp152.3.21.1+ 26 more
- (no CPE)range: < 7.66.0-lp152.3.21.1
- (no CPE)range: < 7.66.0-4.22.1
- (no CPE)range: < 7.66.0-lp152.3.21.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.66.0-4.22.1
- (no CPE)range: < 7.66.0-4.22.1
- (no CPE)range: < 7.66.0-4.22.1
- (no CPE)range: < 7.60.0-4.25.1
- (no CPE)range: < 7.60.0-11.23.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-4.25.1
- (no CPE)range: < 7.60.0-11.23.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-11.23.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-4.25.1
- (no CPE)range: < 7.60.0-4.25.1
- (no CPE)range: < 7.37.0-70.71.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/mitrevendor-advisory
- security.gentoo.org/glsa/202212-01mitrevendor-advisory
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitre
- hackerone.com/reports/1213181mitre
- security.netapp.com/advisory/ntap-20210902-0003/mitre
- www.oracle.com/security-alerts/cpuoct2021.htmlmitre
News mentions
0No linked articles in our index yet.