Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / CURLOPT_SSLCERT mix-up with Secure Transport
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 1000 USD

CVE-2021-22926

CURLOPT_SSLCERT mix-up with Secure Transport

Project curl Security Advisory, July 21st 2021 - Permalink

VULNERABILITY

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPT_SSLCERT option (--cert with the command line tool).

When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.

If the application runs with a current working directory that is writable by other users (like /tmp), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.

INFO

The fixed libcurl version will now instead first check for a certificate in the key chain using the specified name and only if one does not exist, it will check for a file name.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22926 to this issue.

CWE-295: Improper Certificate Validation

Severity: Medium

AFFECTED VERSIONS

Using libcurl on macOS built to use Secure Transport.

Also note that libcurl is used by many applications, and not always advertised as such.

SOLUTION

File names used in this option must contain at least one slash.

RECOMMENDATIONS

A - Upgrade curl to version 7.78.0

B - Apply the patch to your local version

C - Do now run your application in directories where other users can inject files.

TIMELINE

This issue was reported to the curl project on June 15, 2021.

This advisory was posted on July 21, 2021.

CREDITS

Thanks a lot!