CVE-2021-22897 : curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong sessio

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Published 2021-06-11 16:15:11

Updated 2024-03-27 15:47:40

Source HackerOne

View at NVD, CVE.org

Products affected by CVE-2021-22897

Oracle » Mysql Server
Versions up to, including, (<=) 5.7.34
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql Server
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.0.25
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.10.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
Matching versions
Oracle » Essbase
Versions from including (>=) 21.0 and before (<) 21.3
cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
Matching versions
Oracle » Essbase
Versions before (<) 11.1.2.4.047
cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Slice Selection Function » Version: 1.8.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Repository Function » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Repository Function » Version: 1.15.1
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Binding Support Function » Version: 1.11.0
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Service Communication Proxy » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
Matching versions
Siemens » Sinec Infrastructure Network Services
Versions before (<) 1.0.1.1
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Solidfire & Hci Management Node » Version: N/A
cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
Matching versions
Netapp » Hci Compute Node Firmware » Version: N/A
cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Hci Compute Node » Version: N/A
Netapp » H300s Firmware » Version: N/A
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H300s » Version: N/A
Netapp » H500s Firmware » Version: N/A
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H500s » Version: N/A
Netapp » H700s Firmware » Version: N/A
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H700s » Version: N/A
Netapp » H300e Firmware » Version: N/A
cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H300e » Version: N/A
Netapp » H500e Firmware » Version: N/A
cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H500e » Version: N/A
Netapp » H700e Firmware » Version: N/A
cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H700e » Version: N/A
Netapp » H410s Firmware » Version: N/A
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H410s » Version: N/A
Netapp » Solidfire Baseboard Management Controller Firmware » Version: N/A
cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
Matching versions
Netapp » Solidfire, Enterprise Sds & Hci Storage Node » Version: N/A
cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*
Matching versions
Splunk » Universal Forwarder
Versions from including (>=) 8.2.0 and before (<) 8.2.12
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
Matching versions
Splunk » Universal Forwarder
Versions from including (>=) 9.0.0 and before (<) 9.0.6
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
Matching versions
Splunk » Universal Forwarder » Version: 9.1.0
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl
Versions from including (>=) 7.61.0 and up to, including, (<=) 7.76.1
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-22897

EPSS FAQ

0.76%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 72 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-22897

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2021-22897

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Assigned by: nvd@nist.gov (Primary)
CWE-840

Assigned by: support@hackerone.com (Secondary)

References for CVE-2021-22897

https://hackerone.com/reports/1172857

#1172857 CVE-2021-22897: schannel cipher selection surprise
Exploit;Issue Tracking;Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511

schannel: don't use static to store selected ciphers · curl/curl@bbb7150 · GitHub
Patch;Third Party Advisory
https://security.netapp.com/advisory/ntap-20210727-0007/

June 2021 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://curl.se/docs/CVE-2021-22897.html

curl - schannel cipher selection surprise - CVE-2021-22897
Patch;Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-22897

Products affected by CVE-2021-22897

Exploit prediction scoring system (EPSS) score for CVE-2021-22897

CVSS scores for CVE-2021-22897

CWE ids for CVE-2021-22897

References for CVE-2021-22897