CVE-2021-22898: 
MySQL vulnerability analysis and mitigation

CVE-2021-22898 affects curl versions 7.7 through 7.76.1. The vulnerability is related to an information disclosure when using the -t command line option (CURLOPTTELNETOPTIONS in libcurl) to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEWENV variables, libcurl could expose uninitialized data from a stack-based buffer to the server using a clear-text network protocol (Curl Advisory, NVD).

The vulnerability occurs because curl did not check the return code from a sscanf(command, "%127^,,%127s") function invoke correctly, and would leave the piece of the send buffer uninitialized for the value part if it was provided longer than 127 bytes. The buffer used is 2048 bytes large, and the variable part of the variable=content pairs would be stored correctly in the send buffer, making curl send interleaved bytes sequences of stack contents. A single curl TELNET handshake could be made to send off around 1800 bytes of non-contiguous stack contents (Curl Advisory).

The vulnerability could potentially reveal sensitive internal information to the server using a clear-text network protocol. The CVSS v3.1 base score is 3.1 LOW with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

The vulnerability was fixed in curl 7.77.0 by properly checking sscanf() return values and only using properly filled-in buffers. Users should upgrade to version 7.77.0 or later. If unable to upgrade, users should avoid using CURLOPT_TELNETOPTIONS (Curl Advisory).