Cyber Resilience

CVE-2021-22901

HighPublic PoC

Published: 11 June 2021

Published
11 June 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22901 is a high-severity Use After Free (CWE-416) vulnerability in Splunk Universal Forwarder. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote…

more

code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

haxx
curl
7.75.0 — 7.76.1
oracle
communications cloud native core binding support function
1.11.0
oracle
communications cloud native core network function cloud native environment
1.10.0
oracle
communications cloud native core network repository function
1.15.0, 1.15.1
oracle
communications cloud native core network slice selection function
1.8.0
oracle
communications cloud native core service communication proxy
1.15.0
oracle
essbase
≤ 11.1.2.4.047 · 21.0 — 21.3
oracle
mysql server
≤ 5.7.34 · 8.0.0 — 8.0.25
netapp
active iq unified manager
all versions
netapp
cloud backup
all versions
+16 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References