CVE-2021-22922: 
MySQL vulnerability analysis and mitigation

CVE-2021-22922 is a vulnerability in curl's metalink feature that affects versions 7.27.0 through 7.77.0. When curl downloads content using metalink, it verifies the content against a hash provided in the metalink XML file. However, when a downloaded file's hash mismatches, curl only displays a warning message but keeps the potentially malicious content on disk instead of removing it and trying another URL (curl docs).

The vulnerability exists in curl's metalink feature implementation. When downloading content via metalink, curl verifies downloaded files against hashes specified in the metalink XML file. If a server hosting the content has been compromised and the file is replaced with malicious content, curl should detect the hash mismatch and remove the file. However, curl only displays a warning message while retaining the potentially malicious file on disk. The vulnerability has a CVSS v3.1 base score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) (NVD).

If exploited, this vulnerability could allow an attacker to deliver malicious content to users through compromised download servers, with the malicious content remaining on disk despite hash verification failures. The user may not notice the warning message and assume the downloaded file is legitimate (curl docs).

The curl project has completely removed the metalink feature as of version 7.78.0. For earlier versions, the recommended fix is to rebuild curl with metalink support disabled. Users should upgrade to curl version 7.78.0 or later to fully address this vulnerability (curl docs).