CVE-2021-22897: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a...
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72382%
CWE
Published
5/24/2022
Updated
4/7/2024
KEV Status
No
Technology
-
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description clearly states that the issue was due to a 'static' variable used to store the selected cipher set in the code for CURLOPT_SSL_CIPHER_LIST when using the Schannel TLS library. The provided commit bbb71507b7bab52002f9b1e0880bed6a32834511
directly addresses this.
-
File
lib/vtls/schannel.c
:- The function
set_ssl_ciphers
is modified. The key change is the removal ofstatic ALG_ID algIds[45];
. This static variable was the root cause of the vulnerability, as its value would be shared across different sessions/transfers. - The function signature of
set_ssl_ciphers
was changed fromset_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
toset_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, int *algIds)
. This change allowsalgIds
to be passed per call, rather than relying on a shared static variable. - The calling function
schannel_connect_step1
was updated to passBACKEND->algIds
to the modifiedset_ssl_ciphers
function.
- The function
-
File
lib/vtls/schannel.h
:- The
struct ssl_backend_data
was modified to includeALG_ID algIds[NUMOF_CIPHERS];
. This ensures that each SSL backend instance has its own storage for cipher IDs, which is then passed toset_ssl_ciphers
.
- The
The primary vulnerable function is set_ssl_ciphers
because it contained the faulty static variable. The function schannel_connect_step1
is part of the exploitation path as it calls set_ssl_ciphers
, but the vulnerability itself (the shared state) resided within set_ssl_ciphers
.