Detections
Analytics

Unity Linux 20.1060e / 20.1070e Security Update: curl (UTSA-2026-017594)

high Nessus Plugin ID 314026

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017594 advisory.

 libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected curl package.

See Also

http://www.nessus.org/u?e40442e0

https://nvd.nist.gov/vuln/detail/CVE-2021-22926

http://www.nessus.org/u?d669748f

Plugin Details

Severity: High

ID: 314026

File Name: unity_linux_UTSA-2026-017594.nasl

Version: 1.1

Type: Local

Published: 5/11/2026

Updated: 5/11/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-22926

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/11/2026

Vulnerability Publication Date: 8/5/2021

Reference Information

CVE: CVE-2021-22926