CVE-2021-22897

Name of the Vulnerable Software and Affected Versions libcurl versions 7.61.0 through 7.76.1

Description The issue is related to the implementation of the Transport Layer Security (TLS) protocol in the libcurl library, specifically with errors in security settings when using the CURLOPT SSL CIPHER LIST configuration. This can allow a remote attacker to gain unauthorized access to protected information. The selected cipher set is stored in a single "static" variable in the library, which can cause the last application to set the ciphers to accidentally control the set used by all transfers, weakening transport security significantly.

Recommendations For libcurl versions 7.61.0 through 7.76.1, consider disabling the use of the CURLOPT SSL CIPHER LIST option until a patch is available, as a temporary workaround to minimize the risk of exploitation. Restrict access to the Schannel TLS library to reduce the attack surface. Avoid using concurrent transfers with different cipher settings to prevent accidental control of the cipher set used by all transfers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.