CURL-CVE-2021-22897

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2021-22897.html

Import Source

https://curl.se/docs/CURL-CVE-2021-22897.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2021-22897

Aliases

CVE-2021-22897

Published

2021-05-26T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

Schannel cipher selection surprise

Details

libcurl lets applications specify which specific TLS ciphers to use in transfers, using the option called CURLOPT_SSL_CIPHER_LIST. The cipher selection is used for the TLS negotiation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.

Due to a mistake in the code, the selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers accidentally controls the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Database specific

{
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2021-22897.html",
    "CWE": {
        "desc": "Exposure of Data Element to Wrong Session",
        "id": "CWE-488"
    },
    "URL": "https://curl.se/docs/CVE-2021-22897.json",
    "issue": "https://hackerone.com/reports/1172857",
    "package": "curl",
    "affects": "both",
    "award": {
        "currency": "USD",
        "amount": "800"
    },
    "last_affected": "7.76.1"
}

References

Credits

- Harry Sintonen - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.61.0

Fixed

7.77.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28

Fixed

bbb71507b7bab52002f9b1e0880bed6a32834511

Affected versions

7.*

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/curl/curl.git/commit/bbb71507b7bab52002f9b1e0880bed6a32834511",
        "signature_type": "Line",
        "target": {
            "file": "lib/vtls/schannel.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CURL-CVE-2021-22897-369c7e73",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "169306282263403152476778100550579197303",
                "297501274346842746936104394958035664195",
                "115226342142473284132899468397361420315",
                "234734752945961461342272917723384093426",
                "295386562829775930098639946838584527244",
                "219517661826067509758353138597803787494",
                "244949559378790381198359763585636363260",
                "332559676467627573058079295969579883439",
                "172944519042723511467055631002959388061",
                "49891809641561640485570718961026384269",
                "303945483550590176791034946765591014847",
                "160380589874126636249932610610053765267",
                "202261837233141056431919104544500820999"
            ]
        }
    },
    {
        "source": "https://github.com/curl/curl.git/commit/bbb71507b7bab52002f9b1e0880bed6a32834511",
        "signature_type": "Line",
        "target": {
            "file": "lib/vtls/schannel.h"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CURL-CVE-2021-22897-731f3de3",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "144288989636727895116566759813531481869",
                "310223903940348029157260322620209786472",
                "305687057856332765216788005169622682063",
                "325657448106323421990448296138158547936",
                "292286319081006362423274139499724779986",
                "39604824998280807468150180221600407666",
                "57176848086045237311152580885468675039"
            ]
        }
    },
    {
        "source": "https://github.com/curl/curl.git/commit/bbb71507b7bab52002f9b1e0880bed6a32834511",
        "signature_type": "Function",
        "target": {
            "function": "schannel_connect_step1",
            "file": "lib/vtls/schannel.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CURL-CVE-2021-22897-a0ff66c6",
        "digest": {
            "length": 14322.0,
            "function_hash": "211186878913764398743821657885986770610"
        }
    },
    {
        "source": "https://github.com/curl/curl.git/commit/bbb71507b7bab52002f9b1e0880bed6a32834511",
        "signature_type": "Function",
        "target": {
            "function": "set_ssl_ciphers",
            "file": "lib/vtls/schannel.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CURL-CVE-2021-22897-f33500b8",
        "digest": {
            "length": 676.0,
            "function_hash": "36431407875438539121636832984401189544"
        }
    }
]