How severe is CVE-2021-22890?

This vulnerability has a severity rating of LOW with a CVSS score of 3.7 out of 10.

What type of vulnerability is CVE-2021-22890?

This is classified as CWE-300, which is a common weakness in software security.

CVE-2021-22890

LOW Year: 2021

CVSS v3 Score

3.7

Low

CVSS v2 Score

4.3

Medium

Weakness Type

CWE-300

View all →

Vulnerability Description

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

CVE-2017-6052

LOW

CVSS:3.7(Low)

A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. Communication channel endpoints are not verified, which may allow a remote attacker to access or influence ...

CWE-3002017

CVE-2019-3981

LOW

CVSS:3.7(Low)

MikroTik Winbox 3.20 and below is vulnerable to man in the middle attacks. A man in the middle can downgrade the client's authentication protocol and recover the user's username and MD5 hashed passwor...

CWE-3002019

CVE-2024-50565

LOW

CVSS:3.1(Low)

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through ...

CWE-3002024

CVE-2018-14636

MEDIUM

CVSS:5.3(Medium)

Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively ...

CWE-3002018

CVE-2019-8282

MEDIUM

CVSS:5.3(Medium)

Gemalto Admin Control Center, all versions prior to 7.92, uses cleartext HTTP to communicate with www3.safenet-inc.com to obtain language packs. This allows attacker to do man-in-the-middle (MITM) att...

CWE-3002019

CVE-2023-2310

MEDIUM

CVSS:5.3(Medium)

A Channel Accessible by Non-Endpoint vulnerability in the Schweitzer Engineering Laboratories SEL Real-Time Automation Controller (RTAC) could allow a remote attacker to perform a man-in-the-middle (M...

CWE-3002023

CVE-2021-22890

Vulnerability Description

Related Vulnerabilities

CVE-2017-6052

CVE-2019-3981

CVE-2024-50565

CVE-2018-14636

CVE-2019-8282

CVE-2023-2310