Vulnerabilities > CVE-2021-22897 - Exposure of Resource to Wrong Sphere vulnerability in multiple products

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Vulnerable Configurations

Part	Description	Count
Application	Haxx Haxx Curl 7.61.0 Haxx Curl 7.61.1 Haxx Curl 7.62.0 Haxx Curl 7.63.0 Haxx Curl 7.64.0 Haxx Curl 7.64.1 Haxx Curl 7.65.0 Haxx Curl 7.65.1 Haxx Curl 7.65.2 Haxx Curl 7.65.3 Haxx Curl 7.66.0 Haxx Curl 7.67.0 Haxx Curl 7.68.0 Haxx Curl 7.69.0 Haxx Curl 7.69.1 Haxx Curl 7.70.0 Haxx Curl 7.71.0 Haxx Curl 7.71.1 Haxx Curl 7.72.0 Haxx Curl 7.73.0 Haxx Curl 7.74.0 Haxx Curl 7.75.0 Haxx Curl 7.76.0 Haxx Curl 7.76.1	24
Application	Oracle Oracle Mysql Server 8.0.0 Oracle Mysql Server 8.0.15 Oracle Mysql Server 8.0.17 Oracle Mysql Server 8.0.22 Oracle Mysql Server 8.0.23 Oracle Mysql Server 8.0.24 Oracle Mysql Server 8.0.25 Oracle Mysql Server - Oracle Mysql Server 5.7.0 Oracle Mysql Server 5.7.26 Oracle Mysql Server 5.7.27 Oracle Mysql Server 5.7.28 Oracle Mysql Server 5.7.32 Oracle Mysql Server 5.7.33 Oracle Mysql Server 5.7.34 Oracle Essbase 21.1 Oracle Essbase 21.2 Oracle Essbase * Oracle Communications Cloud Native Core Network Slice Selection Function 1.8.0 Oracle Communications Cloud Native Core Network Repository Function 1.15.0 Oracle Communications Cloud Native Core Network Repository Function 1.15.1 Oracle Communications Cloud Native Core Network Function Cloud Native Environment 1.10.0 Oracle Communications Cloud Native Core Service Communication Proxy 1.15.0 Oracle Communications Cloud Native Core Binding Support Function 1.11.0	24
Application	Netapp Netapp Cloud Backup - Netapp Solidfire & HCI Management Node - Netapp Solidfire, Enterprise SDS & HCI Storage Node -	3
Application	Siemens Siemens Sinec Infrastructure Network Services - Siemens Sinec Infrastructure Network Services 1.0.1	2
Application	Splunk Splunk Universal Forwarder 9.1.0 Splunk Universal Forwarder 9.0.0 Splunk Universal Forwarder 9.0.1 Splunk Universal Forwarder 9.0.2 Splunk Universal Forwarder 9.0.3 Splunk Universal Forwarder 9.0.4 Splunk Universal Forwarder 9.0.5 Splunk Universal Forwarder 8.2.0 Splunk Universal Forwarder 8.2.6 Splunk Universal Forwarder 8.2.7 Splunk Universal Forwarder 8.2.8 Splunk Universal Forwarder 8.2.9 Splunk Universal Forwarder 8.2.10 Splunk Universal Forwarder 8.2.11	14
OS	Netapp Netapp Solidfire Baseboard Management Controller Firmware - Netapp HCI Compute Node Firmware - Netapp H300E Firmware - Netapp H300S Firmware - Netapp H410S Firmware - Netapp H500E Firmware - Netapp H500S Firmware - Netapp H700E Firmware - Netapp H700S Firmware -	9
Hardware	Netapp Netapp HCI Compute Node - Netapp H300E - Netapp H300S - Netapp H410S - Netapp H500E - Netapp H500S - Netapp H700E - Netapp H700S -	8

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References