#VU53584 Inadequate encryption strength in cURL - CVE-2021-22897
Published: May 26, 2021
Vulnerability identifier: #VU53584
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-22897
CWE-ID: CWE-326
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
cURL
cURL
Software vendor:
curl.haxx.se
curl.haxx.se
Description
The vulnerability allows a remote attacker to force applications use weak cryptographic ciphers.
The vulnerability exists due to a logic error when selecting TLS ciphers during connection via the CURLOPT_SSL_CIPHER_LIST option in libcurl. The selected cipher set was stored in a single "static" variable in the library that is used for multiple concurrent transfers within the specific application, the last one that sets the ciphers will accidentally control the set used by all transfers.
The vulnerability can be triggered when Schannel is used, which is the native TLS library in Microsoft Windows.
Remediation
Install updates from vendor's website.