curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
| Link | Tags |
|---|---|
| https://hackerone.com/reports/1172857 | issue tracking exploit third party advisory |
| https://curl.se/docs/CVE-2021-22897.html | patch vendor advisory |
| https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511 | third party advisory patch |
| https://www.oracle.com//security-alerts/cpujul2021.html | third party advisory patch |
| https://www.oracle.com/security-alerts/cpujan2022.html | third party advisory patch |
| https://security.netapp.com/advisory/ntap-20210727-0007/ | third party advisory |
| https://www.oracle.com/security-alerts/cpuapr2022.html | third party advisory patch |
| https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | third party advisory patch |