CVE-2021-22897 Information
Description
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \static\ variable in the library which has the surprising side-effect that if an application sets up multiple concurrent transfers the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario this weakens transport security significantly.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
https://curl.se/docs/CVE-2021-22897.html
https://curl.se/docs/CVE-2021-22897.html
https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511
https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511
https://hackerone.com/reports/1172857
https://www.oracle.com//security-alerts/cpujul2021.html
https://security.netapp.com/advisory/ntap-20210727-0007/
https://www.oracle.com/security-alerts/cpujan2022.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://www.oracle.com/security-alerts/cpuapr2022.html
curl
7.61.0
through
7.76.1
suffers
from
exposure
of
data
element
to
wrong
session
due
to
a
mistake
in
the
code
for
CURLOPT_SSL_CIPHER_LIST
when
libcurl
is
built
to
use
the
Schannel
TLS
library.
The
selected
cipher
set
was
stored
in
a
single
\static
variable
in
the
library
which
has
the
surprising
side-effect
that
if
an
application
sets
up
multiple
concurrent
transfers
the
last
one
that
sets
the
ciphers
will
accidentally
control
the
set
used
by
all
transfers.
In
a
worst-case
scenario
this
weakens
transport
security
significantly.
cpe:2.3:a:haxx:curl::::::::
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.3
Share on: