CVE-2021-22897
MEDIUMcurl <7.76.1 - Info Disclosure
Title source: llmDescription
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
Scores
CVSS v3
5.3
EPSS
0.0083
EPSS Percentile
74.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Classification
CWE
CWE-840
CWE-668
Status
published
Affected Products (24)
haxx/curl
< 7.76.1
oracle/communications_cloud_native_core_binding_support_function
oracle/communications_cloud_native_core_network_function_cloud_native_environment
oracle/communications_cloud_native_core_network_repository_function
oracle/communications_cloud_native_core_network_repository_function
oracle/communications_cloud_native_core_network_slice_selection_function
oracle/communications_cloud_native_core_service_communication_proxy
oracle/essbase
< 11.1.2.4.047
oracle/mysql_server
< 5.7.34
netapp/cloud_backup
netapp/solidfire\,_enterprise_sds_\&_hci_storage_node
netapp/solidfire_\&_hci_management_node
netapp/solidfire_baseboard_management_controller_firmware
netapp/hci_compute_node_firmware
netapp/h300e_firmware
... and 9 more
Timeline
Published
Jun 11, 2021
Tracked Since
Feb 18, 2026