### [CVE-2021-22925](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22925)
![](https://img.shields.io/static/v1?label=Product&message=https%3A%2F%2Fgithub.com%2Fcurl%2Fcurl&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=curl%207.7%20to%20and%20including%207.77.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Information%20Disclosure%20(CWE-200)&color=brightgreen)

### Description

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.

### POC

#### Reference
- http://seclists.org/fulldisclosure/2021/Sep/39
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html

#### Github
- https://github.com/fokypoky/places-list