CVE-2021-22897
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
curl versiones 7.61.0 hasta 7.76.1, sufre de exposición de un elemento de datos a una sesión equivocada debido a un error en el código para la función CURLOPT_SSL_CIPHER_LIST cuando libcurl es construído para usar la biblioteca TLS de Schannel. El ajuste de cifrado seleccionado se almacenaba en una única variable "static" en la biblioteca, lo que tiene el sorprendente efecto secundario de que si una aplicación establece múltiples transferencias concurrentes, la última que ajusta los cifrados controlará accidentalmente el ajuste usado por todas las transferencias. En el peor de los casos, esto debilita significativamente la seguridad del transporte
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-06 CVE Reserved
- 2021-06-11 CVE Published
- 2024-05-17 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-668: Exposure of Resource to Wrong Sphere
- CWE-840: Business Logic Errors
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://security.netapp.com/advisory/ntap-20210727-0007 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://hackerone.com/reports/1172857 | 2024-08-03 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Netapp Search vendor "Netapp" | Hci Compute Node Firmware Search vendor "Netapp" for product "Hci Compute Node Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | Hci Compute Node Search vendor "Netapp" for product "Hci Compute Node" | - | - |
Safe
|
Netapp Search vendor "Netapp" | H300e Firmware Search vendor "Netapp" for product "H300e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H300e Search vendor "Netapp" for product "H300e" | - | - |
Safe
|
Netapp Search vendor "Netapp" | H300s Firmware Search vendor "Netapp" for product "H300s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H300s Search vendor "Netapp" for product "H300s" | - | - |
Safe
|
Netapp Search vendor "Netapp" | H410s Firmware Search vendor "Netapp" for product "H410s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H410s Search vendor "Netapp" for product "H410s" | - | - |
Safe
|
Netapp Search vendor "Netapp" | H500e Firmware Search vendor "Netapp" for product "H500e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H500e Search vendor "Netapp" for product "H500e" | - | - |
Safe
|
Netapp Search vendor "Netapp" | H500s Firmware Search vendor "Netapp" for product "H500s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H500s Search vendor "Netapp" for product "H500s" | - | - |
Safe
|
Netapp Search vendor "Netapp" | H700e Firmware Search vendor "Netapp" for product "H700e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H700e Search vendor "Netapp" for product "H700e" | - | - |
Safe
|
Netapp Search vendor "Netapp" | H700s Firmware Search vendor "Netapp" for product "H700s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H700s Search vendor "Netapp" for product "H700s" | - | - |
Safe
|
Haxx Search vendor "Haxx" | Curl Search vendor "Haxx" for product "Curl" | >= 7.61.0 <= 7.76.1 Search vendor "Haxx" for product "Curl" and version " >= 7.61.0 <= 7.76.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Binding Support Function Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" | 1.11.0 Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "1.11.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" | 1.10.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.10.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" | 1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" | 1.15.1 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.15.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" | 1.8.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.8.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Service Communication Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" | 1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "1.15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Essbase Search vendor "Oracle" for product "Essbase" | < 11.1.2.4.047 Search vendor "Oracle" for product "Essbase" and version " < 11.1.2.4.047" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Essbase Search vendor "Oracle" for product "Essbase" | >= 21.0 < 21.3 Search vendor "Oracle" for product "Essbase" and version " >= 21.0 < 21.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Server Search vendor "Oracle" for product "Mysql Server" | <= 5.7.34 Search vendor "Oracle" for product "Mysql Server" and version " <= 5.7.34" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Server Search vendor "Oracle" for product "Mysql Server" | >= 8.0.0 <= 8.0.25 Search vendor "Oracle" for product "Mysql Server" and version " >= 8.0.0 <= 8.0.25" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Cloud Backup Search vendor "Netapp" for product "Cloud Backup" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Solidfire\, Enterprise Sds \& Hci Storage Node Search vendor "Netapp" for product "Solidfire\, Enterprise Sds \& Hci Storage Node" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Solidfire \& Hci Management Node Search vendor "Netapp" for product "Solidfire \& Hci Management Node" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Solidfire Baseboard Management Controller Firmware Search vendor "Netapp" for product "Solidfire Baseboard Management Controller Firmware" | - | - |
Affected
| ||||||
Siemens Search vendor "Siemens" | Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services" | < 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1" | - |
Affected
| ||||||
Splunk Search vendor "Splunk" | Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder" | >= 8.2.0 < 8.2.12 Search vendor "Splunk" for product "Universal Forwarder" and version " >= 8.2.0 < 8.2.12" | - |
Affected
| ||||||
Splunk Search vendor "Splunk" | Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder" | >= 9.0.0 < 9.0.6 Search vendor "Splunk" for product "Universal Forwarder" and version " >= 9.0.0 < 9.0.6" | - |
Affected
| ||||||
Splunk Search vendor "Splunk" | Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder" | 9.1.0 Search vendor "Splunk" for product "Universal Forwarder" and version "9.1.0" | - |
Affected
|