CVE-2021-22897

medium

Published 2021-06-11 · Modified 2026-05-28

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Predictions

Exploit likelihood

63%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

Arch Fixed 1 release

Version	Status	Fixed in
—	Fixed	`7.77.0-1`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0`
sid	Fixed	`0`
forky	Fixed	`0`
bullseye	Fixed	`0`
bookworm	Fixed	`0`

Application impact

Vendor	Product	Versions	Fixed
haxx	curl	`{"startIncluding":"7.61.0","endIncluding":"7.76.1"}`
oracle	communications_cloud_native_core_binding_support_function	`1.11.0`
oracle	communications_cloud_native_core_network_function_cloud_native_environment	`1.10.0`
oracle	communications_cloud_native_core_network_repository_function	`1.15.0`
oracle	communications_cloud_native_core_network_repository_function	`1.15.1`
oracle	communications_cloud_native_core_network_slice_selection_function	`1.8.0`
oracle	communications_cloud_native_core_service_communication_proxy	`1.15.0`
oracle	essbase	`{"endExcluding":"11.1.2.4.047"}`	`11.1.2.4.047`
oracle	essbase	`{"startIncluding":"21.0","endExcluding":"21.3"}`	`21.3`
oracle	mysql_server	`{"endIncluding":"5.7.34"}`
oracle	mysql_server	`{"startIncluding":"8.0.0","endIncluding":"8.0.25"}`
netapp	cloud_backup	`-`
netapp	solidfire\,_enterprise_sds_\&_hci_storage_node	`-`
netapp	solidfire_\&_hci_management_node	`-`
netapp	hci_compute_node	`-`
netapp	h300e	`-`
netapp	h300s	`-`
netapp	h410s	`-`
netapp	h500e	`-`
netapp	h500s	`-`
netapp	h700e	`-`
netapp	h700s	`-`
siemens	sinec_infrastructure_network_services	`{"endExcluding":"1.0.1.1"}`	`1.0.1.1`
splunk	universal_forwarder	`{"startIncluding":"8.2.0","endExcluding":"8.2.12"}`	`8.2.12`
splunk	universal_forwarder	`{"startIncluding":"9.0.0","endExcluding":"9.0.6"}`	`9.0.6`
splunk	universal_forwarder	`9.1.0`

References

CWEs

CWE-840 CWE-668

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.