{ "schema_version": "1.5.0", "id": "CURL-CVE-2021-22897", "aliases": [ "CVE-2021-22897" ], "summary": "Schannel cipher selection surprise", "modified": "2026-04-25T17:48:46.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22897.json", "www": "https://curl.se/docs/CVE-2021-22897.html", "issue": "https://hackerone.com/reports/1172857", "CWE": { "id": "CWE-488", "desc": "Exposure of Data Element to Wrong Session" }, "award": { "amount": "800", "currency": "USD" }, "last_affected": "7.76.1", "severity": "Low" }, "published": "2021-05-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.61.0"}, {"fixed": "7.77.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28"}, {"fixed": "bbb71507b7bab52002f9b1e0880bed6a32834511"} ] } ], "versions": [ "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl lets applications specify which specific TLS ciphers to use in\ntransfers, using the option called `CURLOPT_SSL_CIPHER_LIST`. The cipher\nselection is used for the TLS negotiation when a transfer is done involving\nany of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS,\nIMAPS, POP3S, SMTPS etc.\n\nDue to a mistake in the code, the selected cipher set was stored in a single\n\"static\" variable in the library, which has the surprising side-effect that if\nan application sets up multiple concurrent transfers, the last one that sets\nthe ciphers accidentally controls the set used by all transfers. In a\nworst-case scenario, this weakens transport security significantly." }