haxx curl CVE-2021-22897 vulnerability in Haxx and Other Products
Published on June 11, 2021

product logo product logo product logo product logo product logo product logo
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

NVD

Weakness Type

Business Logic Errors

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.


Products Associated with CVE-2021-22897

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-22897 are published in these products:

Haxx Curl
 
Oracle Essbase
 
Oracle MySQL
 
NetApp Cloud Backup
 
NetApp Solidfire Enterprise Sds Hci Storage Node
 
NetApp Solidfire Hci Management Node
 
NetApp Solidfire Baseboard Management Controller Firmware
 
Siemens Sinec Infrastructure Network Services
 
Oracle Communications Cloud Native Core Network Slice Selection Function
 
Oracle Communications Cloud Native Core Network Repository Function
 
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
 
Oracle Communications Cloud Native Core Service Communication Proxy
 
Oracle Communications Cloud Native Core Binding Support Function
 
Splunk Universal Forwarder
 
Oracle
 

Exploit Probability

EPSS
0.83%
Percentile
74.27%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.