Test ID:	1.3.6.1.4.1.25623.1.1.2.2022.1711
Category:	Huawei EulerOS Local Security Checks
Title:	Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2022-1711)
Summary:	The remote host is missing an update for the Huawei EulerOS 'curl' package(s) announced via the EulerOS-SA-2022-1711 advisory.
Description:	Summary: The remote host is missing an update for the Huawei EulerOS 'curl' package(s) announced via the EulerOS-SA-2022-1711 advisory. Vulnerability Insight: A has been found in curl. The fix for CVE-2021-22898 doesn't remedy the vulnerability. A flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality.(CVE-2021-22925) A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.(CVE-2020-8284) Affected Software/OS: 'curl' package(s) on Huawei EulerOS V2.0SP3. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2020-8284 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://security.netapp.com/advisory/ntap-20210122-0007/ https://support.apple.com/kb/HT212325 https://support.apple.com/kb/HT212326 https://support.apple.com/kb/HT212327 Debian Security Information: DSA-4881 (Google Search) https://www.debian.org/security/2021/dsa-4881 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/ https://security.gentoo.org/glsa/202012-14 https://curl.se/docs/CVE-2020-8284.html https://hackerone.com/reports/1040166 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html Common Vulnerability Exposure (CVE) ID: CVE-2021-22925 https://security.netapp.com/advisory/ntap-20210902-0003/ https://support.apple.com/kb/HT212804 https://support.apple.com/kb/HT212805 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/ http://seclists.org/fulldisclosure/2021/Sep/39 http://seclists.org/fulldisclosure/2021/Sep/40 https://security.gentoo.org/glsa/202212-01 https://hackerone.com/reports/1223882 https://www.oracle.com/security-alerts/cpuoct2021.html
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.