CVE-2021-22923 Overview
CVE-2021-22923 is a credential leakage vulnerability in the curl command-line tool and library affecting its metalink feature. When curl is instructed to retrieve content using the metalink feature with a username and password to download the metalink XML file, those same credentials are subsequently passed on to each of the servers from which curl will download or attempt to download content. This behavior occurs without user notification and is often contrary to the user's expectations and intentions.
Critical Impact
Sensitive authentication credentials may be inadvertently transmitted to unintended third-party servers when using curl's metalink feature, potentially exposing usernames and passwords to unauthorized parties.
Affected Products
- Haxx curl (multiple versions)
- Fedora 33
- NetApp Cloud Backup, Clustered Data ONTAP, HCI Management Node, SolidFire
- Oracle MySQL Server
- Siemens SINEC Infrastructure Network Services
- NetApp H-Series firmware and hardware (H300S, H500S, H700S, H300E, H500E, H700E, H410S)
- Splunk Universal Forwarder
Discovery Timeline
- 2021-08-05 - CVE-2021-22923 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22923
Vulnerability Analysis
This vulnerability falls under CWE-319 (Cleartext Transmission of Sensitive Information). The core issue lies in how curl handles credential propagation when processing metalink files. Metalink is a format that allows downloading files from multiple sources (mirrors) for redundancy and performance. When a user authenticates to download a metalink XML descriptor file, curl improperly reuses those credentials for all subsequent download operations specified within the metalink file.
The vulnerability creates a significant security concern because metalink files can reference arbitrary download servers that are not under the control of the original authenticated source. An attacker who can influence the contents of a metalink file could potentially harvest credentials by including their own server as a download mirror.
Root Cause
The root cause is improper credential scoping in curl's metalink implementation. The authentication context established for retrieving the metalink XML file is incorrectly applied to all subsequent download operations. The credentials should be scoped only to the original server and not automatically propagated to different hosts referenced in the metalink file.
This represents a violation of the principle of least privilege, where credentials intended for one specific service are inadvertently shared with potentially untrusted third-party servers listed in the metalink document.
Attack Vector
The attack vector requires network access with some user interaction. An attacker could exploit this vulnerability through several scenarios:
Malicious Metalink File: An attacker controlling a compromised or malicious server could serve a metalink file that lists attacker-controlled servers as download mirrors. When a user authenticates to download content, their credentials would be sent to the attacker's servers.
Man-in-the-Middle Attack: An attacker positioned to intercept network traffic could modify a legitimate metalink file to inject their own server URLs, capturing credentials when curl attempts to download from the injected locations.
Compromised Mirror: If a legitimate metalink file references mirrors that become compromised, attackers controlling those mirrors could receive credentials that users never intended to share with them.
The vulnerability is particularly concerning in enterprise environments where service accounts or privileged credentials may be used with curl for automated downloads.
Detection Methods for CVE-2021-22923
Indicators of Compromise
- Unexpected outbound authentication attempts to unfamiliar servers during metalink-based downloads
- Network logs showing HTTP Basic or Digest authentication headers being sent to multiple distinct hosts in rapid succession
- curl command executions with both --metalink and credential options (-u, --user) in command-line arguments
Detection Strategies
- Monitor network traffic for credential transmission patterns to multiple hosts following metalink file retrieval
- Implement egress filtering to detect and alert on authentication attempts to unauthorized or unexpected external hosts
- Review curl usage patterns in scripts and automated processes for metalink feature usage with embedded credentials
- Deploy endpoint detection to flag curl processes using metalink functionality with authentication parameters
Monitoring Recommendations
- Enable verbose logging for curl operations in production environments to capture credential usage patterns
- Implement network-level monitoring for HTTP Authorization headers being sent to unexpected destinations
- Create alerts for curl processes that initiate connections to multiple distinct hosts within short time windows
- Monitor for downloads of .metalink or .meta4 files, especially when followed by multi-host download activity
How to Mitigate CVE-2021-22923
Immediate Actions Required
- Update curl to the latest patched version that addresses CVE-2021-22923
- Audit existing scripts and applications using curl's metalink feature with authentication
- Avoid using the --metalink option in combination with username/password authentication until patched
- Consider using credential-free authentication methods (such as API tokens) that can be easily rotated if compromised
Patch Information
Security patches addressing this vulnerability have been released by multiple vendors. Organizations should apply the appropriate updates for their affected systems:
- curl/libcurl: Update to the latest stable release from the curl project
- Fedora: Apply updates via the Fedora package repositories as announced in the Fedora Package Announcement
- Gentoo: Follow guidance in GLSA 202212-01
- NetApp: Review NetApp Security Advisory NTAP-20210902-0003
- Oracle MySQL: Apply patches from the Oracle CPU October 2021 Alert
- Siemens: Follow guidance in Siemens Security Advisory SSA-389290
Workarounds
- Disable or avoid using the metalink feature when authentication is required
- Download metalink files separately without authentication, then manually verify mirror URLs before downloading content
- Use network segmentation to limit which hosts can receive authenticated connections from systems running curl
- Implement application-level credential management that does not rely on passing credentials via curl command-line options
# Workaround: Avoid using authentication with metalink
# Instead of combining auth with metalink:
# curl -u username:password --metalink https://example.com/file.metalink
# Download the metalink file first without the full content:
curl -O https://example.com/file.metalink
# Inspect the metalink file to verify trusted mirrors
cat file.metalink | grep -i url
# Then download from a specific trusted mirror with authentication
curl -u username:password https://trusted-mirror.example.com/file.tar.gz
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
