CVE-2021-22946: 
MySQL vulnerability analysis and mitigation

A vulnerability was discovered in curl versions 7.20.0 through 7.78.0 that allows bypassing TLS requirements when communicating with IMAP, POP3 or FTP servers. When using the --ssl-reqd command line option or setting CURLOPT_USE_SSL to CURLUSESSL_CONTROL or CURLUSESSL_ALL in libcurl, a crafted server response could cause curl to continue operations without TLS encryption despite the security requirement, potentially exposing sensitive data in clear text over the network (curl.se).

The vulnerability affects curl's handling of TLS upgrade requirements when communicating with IMAP, POP3 and FTP servers. When a user configures curl to require TLS encryption using either the command line option --ssl-reqd or the libcurl option CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL, a malicious server could return a specially crafted but valid response that causes curl to proceed with the connection in plaintext, contrary to the security requirement. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The successful exploitation of this vulnerability could result in sensitive data being transmitted in clear text over the network, despite explicit configuration requiring TLS encryption. This could allow attackers to intercept and view confidential information that was intended to be encrypted (curl.se).

The vulnerability was fixed in curl version 7.79.0. Users should upgrade to this version or later to address the issue. The fix was implemented in commit 364f174724ef11 (curl.se). Multiple vendors have released patches for their products incorporating this fix, including Oracle, Debian, Red Hat, and others (Oracle, Debian).