5.3

CVE-2021-22897

Exploit

EPSS 1.08%
Veröffentlicht 11.06.2021 16:15:10
Zuletzt bearbeitet 21.11.2024 05:50:51
Quelle support@hackerone.com
Teams Watchlist Login
Unerledigt Login

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Haxx ≫ Curl Version >= 7.61.0 <= 7.76.1

Oracle ≫ Communications Cloud Native Core Binding Support Function Version1.11.0

Oracle ≫ Communications Cloud Native Core Network Function Cloud Native Environment Version1.10.0

Oracle ≫ Communications Cloud Native Core Network Repository Function Version1.15.0

Oracle ≫ Communications Cloud Native Core Network Repository Function Version1.15.1

Oracle ≫ Communications Cloud Native Core Network Slice Selection Function Version1.8.0

Oracle ≫ Communications Cloud Native Core Service Communication Proxy Version1.15.0

Oracle ≫ Essbase Version < 11.1.2.4.047

Oracle ≫ Essbase Version >= 21.0 < 21.3

Oracle ≫ Mysql Server Version <= 5.7.34

Oracle ≫ Mysql Server Version >= 8.0.0 <= 8.0.25

Netapp ≫ Cloud Backup Version-

Netapp ≫ Solidfire, Enterprise Sds & Hci Storage Node Version-

Netapp ≫ Solidfire & Hci Management Node Version-

Netapp ≫ Solidfire Baseboard Management Controller Firmware Version-

Netapp ≫ Hci Compute Node Firmware Version-

Netapp ≫ Hci Compute Node Version-

Netapp ≫ H300e Firmware Version-

Netapp ≫ H300e Version-

Netapp ≫ H300s Firmware Version-

Netapp ≫ H300s Version-

Netapp ≫ H410s Firmware Version-

Netapp ≫ H410s Version-

Netapp ≫ H500e Firmware Version-

Netapp ≫ H500e Version-

Netapp ≫ H500s Firmware Version-

Netapp ≫ H500s Version-

Netapp ≫ H700e Firmware Version-

Netapp ≫ H700e Version-

Netapp ≫ H700s Firmware Version-

Netapp ≫ H700s Version-

Siemens ≫ Sinec Infrastructure Network Services Version < 1.0.1.1

Splunk ≫ Universal Forwarder Version >= 8.2.0 < 8.2.12

Splunk ≫ Universal Forwarder Version >= 9.0.0 < 9.0.6

Splunk ≫ Universal Forwarder Version9.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.08%	0.771

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch

Third Party Advisory

https://curl.se/docs/CVE-2021-22897.html

Patch

Vendor Advisory

https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511

Patch

Third Party Advisory

https://hackerone.com/reports/1172857

Third Party Advisory

Exploit

Issue Tracking

https://security.netapp.com/advisory/ntap-20210727-0007/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-22897

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-22897

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-22897

EUVD