{"id":"CVE-2021-22890","details":"curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly \"short-cut\" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.","aliases":["CURL-CVE-2021-22890"],"modified":"2026-04-16T04:31:10.511563106Z","published":"2021-04-01T18:15:12.917Z","related":["SUSE-SU-2021:1006-1","openSUSE-SU-2021:0510-1","openSUSE-SU-2024:10582-1"],"references":[{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-36"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210521-0007/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://hackerone.com/reports/1129529"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"type":"FIX","url":"https://curl.se/docs/CVE-2021-22890.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"4258dc02d86e7e4de9f795a1af3a0bc6732d4ab5"},{"last_affected":"2f33be817cbce6ad7a36f27dd7ada9219f13584c"}],"database_specific":{"versions":[{"introduced":"7.63.0"},{"last_affected":"7.75.0"}]}}],"versions":["curl-7_63_0","curl-7_64_0","curl-7_64_1","curl-7_65_0","curl-7_65_1","curl-7_65_2","curl-7_65_3","curl-7_66_0","curl-7_67_0","curl-7_68_0","curl-7_69_0","curl-7_69_1","curl-7_70_0","curl-7_71_0","curl-7_71_1","curl-7_72_0","curl-7_73_0","curl-7_74_0","curl-7_75_0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22890.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"21.2"}]},{"events":[{"introduced":"8.2.0"},{"fixed":"8.2.12"}]},{"events":[{"introduced":"9.0.0"},{"fixed":"9.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}