{"id":"CURL-CVE-2021-22890","summary":"TLS 1.3 session ticket proxy host mix-up","details":"Enabled by default, libcurl supports the use of TLS 1.3 session tickets to\nresume previous TLS sessions to speed up subsequent TLS handshakes.\n\nWhen using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets\narriving from the HTTPS proxy but work as if they arrived from the remote\nserver and then wrongly \"short-cut\" the host handshake. The reason for this\nconfusion is the modified sequence from TLS 1.2 when the session ids would\nprovided only during the TLS handshake, while in TLS 1.3 it happens post\nhand-shake and the code was not updated to take that changed behavior into\naccount.\n\nWhen confusing the tickets, an HTTPS proxy can trick libcurl to use the wrong\nsession ticket resume for the host and thereby circumvent the server TLS\ncertificate check and make a MITM attack to be possible to perform unnoticed.\n\nThis flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a\nmalicious HTTPS proxy needs to provide a certificate that curl accepts for the\nMITMed server for an attack to work - unless curl has been told to ignore the\nserver certificate check.","aliases":["CVE-2021-22890"],"modified":"2026-05-21T06:00:22.278767503Z","published":"2021-03-31T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2021-22890.html","issue":"https://hackerone.com/reports/1129529","severity":"Low","last_affected":"7.75.0","affects":"both","CWE":{"desc":"Authentication Bypass by Spoofing","id":"CWE-290"},"package":"curl","URL":"https://curl.se/docs/CVE-2021-22890.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.63.0"},{"fixed":"7.76.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"549310e907e82e44c59548351d4c6ac4aaada114"},{"fixed":"b09c8ee15771c614c4bf3ddac893cdb12187c844"}]}],"versions":["7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","curl-7_75_0","curl-7_74_0","curl-7_73_0","tiny-curl-7_72_0","curl-7_72_0","curl-7_71_1","curl-7_71_0","curl-7_70_0","curl-7_69_1","curl-7_69_0","curl-7_68_0","curl-7_67_0","curl-7_66_0","curl-7_65_3","curl-7_65_2","curl-7_65_1","curl-7_65_0","curl-7_64_1","curl-7_64_0","curl-7_63_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2021-22890.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mingtao Yang (Facebook)","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}