{"id":"CVE-2021-22897","details":"curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.","aliases":["CURL-CVE-2021-22897"],"modified":"2026-05-16T04:03:02.881627742Z","published":"2021-06-11T16:15:10.963Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.11.0"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_binding_support_function"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.10.0"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_network_function_cloud_native_environment"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.15.0"},{"last_affected":"1.15.1"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_network_repository_function"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.8.0"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_network_slice_selection_function"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.15.0"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_service_communication_proxy"},{"source":"CPE_FIELD","extracted_events":[{"fixed":"11.1.2.4.047"},{"introduced":"21.0"},{"fixed":"21.3"}],"cpes":["cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:essbase"},{"source":"CPE_FIELD","extracted_events":[{"fixed":"1.0.1.1"}],"cpes":["cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*"],"vendor_product":"siemens:sinec_infrastructure_network_services"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"8.2.0"},{"fixed":"8.2.12"},{"introduced":"9.0.0"},{"fixed":"9.0.6"},{"last_affected":"9.1.0"}],"cpes":["cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*"],"vendor_product":"splunk:universal_forwarder"}]},"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210727-0007/"},{"type":"REPORT","url":"https://hackerone.com/reports/1172857"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"type":"FIX","url":"https://curl.se/docs/CVE-2021-22897.html"},{"type":"FIX","url":"https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}