CVE-2021-22890

Severity CVSS v4.0:
Pending analysis
Type:
CWE-300 Channel Accessible by Non-Endpoint
Publication date:
01/04/2021
Last modified:
09/06/2025

Description

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* 7.63.0 (including) 7.75.0 (including)
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*
cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* 1.0.1.1 (excluding)
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* 8.2.0 (including) 8.2.12 (excluding)
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* 9.0.0 (including) 9.0.6 (excluding)
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*