CVE-2021-22897

moderate-risk

Published 2021-06-11

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Do I need to act?

0.79% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Curl

Communications Cloud Native Core Binding Support Function

Communications Cloud Native Core Network Function Cloud Native Environment

Communications Cloud Native Core Network Repository Function

Communications Cloud Native Core Network Slice Selection Function

Communications Cloud Native Core Service Communication Proxy

Essbase

Mysql Server

Cloud Backup

Solidfire\, Enterprise Sds \& Hci Storage Node

Solidfire \& Hci Management Node

Solidfire Baseboard Management Controller Firmware

Hci Compute Node Firmware

H300E Firmware

H300S Firmware

H410S Firmware

H500E Firmware

H500S Firmware

H700E Firmware

Affected Vendors

Oracle Siemens Haxx Netapp Splunk

References (16)

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch https://curl.se/docs/CVE-2021-22897.html

Patch https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511

Exploit https://hackerone.com/reports/1172857

Third Party Advisory https://security.netapp.com/advisory/ntap-20210727-0007/

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch https://curl.se/docs/CVE-2021-22897.html

Patch https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511

Exploit https://hackerone.com/reports/1172857

Third Party Advisory https://security.netapp.com/advisory/ntap-20210727-0007/

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 3/34 · Minimal

Exposure 21/34 · High