5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22897

GHSA ID

GHSA-frcg-47mh-pj2g

EPSS Score

0.72382%

CWE

CWE-668

Published

5/24/2022

Updated

4/7/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-22897

CVE-2021-22897: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a...

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22897

GHSA ID

GHSA-frcg-47mh-pj2g

EPSS Score

0.72382%

CWE

CWE-668

Published

5/24/2022

Updated

4/7/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly states that the issue was due to a 'static' variable used to store the selected cipher set in the code for CURLOPT_SSL_CIPHER_LIST when using the Schannel TLS library. The provided commit bbb71507b7bab52002f9b1e0880bed6a32834511 directly addresses this.

File lib/vtls/schannel.c:
- The function set_ssl_ciphers is modified. The key change is the removal of static ALG_ID algIds[45];. This static variable was the root cause of the vulnerability, as its value would be shared across different sessions/transfers.
- The function signature of set_ssl_ciphers was changed from set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) to set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, int *algIds). This change allows algIds to be passed per call, rather than relying on a shared static variable.
- The calling function schannel_connect_step1 was updated to pass BACKEND->algIds to the modified set_ssl_ciphers function.
File lib/vtls/schannel.h:
- The struct ssl_backend_data was modified to include ALG_ID algIds[NUMOF_CIPHERS];. This ensures that each SSL backend instance has its own storage for cipher IDs, which is then passed to set_ssl_ciphers.

The primary vulnerable function is set_ssl_ciphers because it contained the faulty static variable. The function schannel_connect_step1 is part of the exploitation path as it calls set_ssl_ciphers, but the vulnerability itself (the shared state) resided within set_ssl_ciphers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*url *.**.* t*rou** *.**.* su***rs *rom *xposur* o* **t* *l*m*nt to wron* s*ssion *u* to * mist*k* in t** *o** *or *URLOPT_SSL_*IP**R_LIST w**n li**url is *uilt to us* t** S***nn*l TLS li*r*ry. T** s*l**t** *ip**r s*t w*s stor** in * sin*l* "st*ti*"

Reasoning

T** vuln*r**ility **s*ription *l**rly st*t*s t**t t** issu* w*s *u* to * 'st*ti*' v*ri**l* us** to stor* t** s*l**t** *ip**r s*t in t** *o** *or *URLOPT_SSL_*IP**R_LIST w**n usin* t** S***nn*l TLS li*r*ry. T** provi*** *ommit `***********************

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-22897: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a...

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI