CVE-2021-22890

Name of the Vulnerable Software and Affected Versions curl versions 7.63.0 through 7.75.0

Description The issue is related to the incorrect handling of TLS 1.3 session tickets, which can allow a malicious HTTPS proxy to perform a man-in-the-middle (MITM) attack. When using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server, leading to a wrong "short-cut" of the host handshake. This can enable the HTTPS proxy to trick libcurl into using the wrong session ticket resume for the host, thereby circumventing the server TLS certificate check and making a MITM attack possible to perform unnoticed. A malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work, unless curl has been told to ignore the server certificate check.

Recommendations For curl versions 7.63.0 through 7.75.0, consider disabling the use of TLS 1.3 session tickets as a temporary workaround until a patch is available. Restrict access to the HTTPS proxy to minimize the risk of exploitation. Avoid using the session ticket parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.