{"id":"CVE-2021-22897","details":"curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.","aliases":["CURL-CVE-2021-22897"],"modified":"2026-04-11T13:53:50.334470Z","published":"2021-06-11T16:15:10.963Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210727-0007/"},{"type":"REPORT","url":"https://hackerone.com/reports/1172857"},{"type":"FIX","url":"https://curl.se/docs/CVE-2021-22897.html"},{"type":"FIX","url":"https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"eb8138405a3f747f2c236464932f72e918946f68"},{"last_affected":"566b74a0e19b9aa610f4931e5bfd339bcf8e9147"},{"fixed":"bbb71507b7bab52002f9b1e0880bed6a32834511"}],"database_specific":{"versions":[{"introduced":"7.61.0"},{"last_affected":"7.76.1"}]}},{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"0"},{"last_affected":"a9b0c712de3509d8d08d3ba385d41a4df6348775"},{"introduced":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"98b2ccb470de120d36bc4a623c814cdfded958ec"},{"introduced":"0"},{"last_affected":"61a3a1d8ef15512396b4c2af46e922a19bf2b174"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.7.34"},{"introduced":"8.0.0"},{"last_affected":"8.0.25"},{"introduced":"0"},{"last_affected":"9.1.0"}]}}],"versions":["curl-7_61_0","curl-7_61_1","curl-7_62_0","curl-7_63_0","curl-7_64_0","curl-7_64_1","curl-7_65_0","curl-7_65_1","curl-7_65_2","curl-7_65_3","curl-7_66_0","curl-7_67_0","curl-7_68_0","curl-7_69_0","curl-7_69_1","curl-7_70_0","curl-7_71_0","curl-7_71_1","curl-7_72_0","curl-7_73_0","curl-7_74_0","curl-7_75_0","curl-7_76_0","curl-7_76_1","mysql-3.23.22-beta","mysql-3.23.28-gamma","mysql-3.23.30-gamma","mysql-3.23.31","mysql-3.23.32","mysql-3.23.33","mysql-3.23.36","mysql-4.0.2","mysql-4.0.4","mysql-5.1.4","mysql-5.7.31","mysql-5.7.32","mysql-5.7.34","mysql-8.0.24","mysql-8.0.25","mysql-9.0.0-release","mysql-9.1.0","mysql-cluster-8.0.24","mysql-cluster-8.0.25","mysql-cluster-9.1.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.1.2.4.047"}]},{"events":[{"introduced":"21.0"},{"fixed":"21.3"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.1.1"}]},{"events":[{"introduced":"8.2.0"},{"fixed":"8.2.12"}]},{"events":[{"introduced":"9.0.0"},{"fixed":"9.0.6"}]}],"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511","deprecated":false,"target":{"file":"lib/vtls/schannel.c"},"digest":{"line_hashes":["169306282263403152476778100550579197303","297501274346842746936104394958035664195","115226342142473284132899468397361420315","234734752945961461342272917723384093426","295386562829775930098639946838584527244","219517661826067509758353138597803787494","244949559378790381198359763585636363260","332559676467627573058079295969579883439","172944519042723511467055631002959388061","49891809641561640485570718961026384269","303945483550590176791034946765591014847","160380589874126636249932610610053765267","202261837233141056431919104544500820999"],"threshold":0.9},"id":"CVE-2021-22897-462e72f1"},{"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511","deprecated":false,"target":{"file":"lib/vtls/schannel.h"},"digest":{"line_hashes":["144288989636727895116566759813531481869","310223903940348029157260322620209786472","305687057856332765216788005169622682063","325657448106323421990448296138158547936","292286319081006362423274139499724779986","39604824998280807468150180221600407666","57176848086045237311152580885468675039"],"threshold":0.9},"id":"CVE-2021-22897-66d13eee"},{"signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511","deprecated":false,"target":{"function":"schannel_connect_step1","file":"lib/vtls/schannel.c"},"digest":{"function_hash":"211186878913764398743821657885986770610","length":14322},"id":"CVE-2021-22897-8c49663e"},{"signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511","deprecated":false,"target":{"function":"set_ssl_ciphers","file":"lib/vtls/schannel.c"},"digest":{"function_hash":"36431407875438539121636832984401189544","length":676},"id":"CVE-2021-22897-ff708dce"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22897.json","vanir_signatures_modified":"2026-04-11T13:53:50Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}