ALPINE-CVE-2021-22890
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.20 | curl | 7.75.0-r0, 0, 7.19.2-r0 |
| Alpine:v3.23 | curl | 7.46.0-r2, 7.75.0-r0, 7.74.0-r0 |
| Alpine:v3.13 | curl | 7.45.0-r0, 7.74.0-r1, 7.74.0-r0 |
| Alpine:v3.19 | curl | 7.25.0-r0, 7.24.0-r0, 7.23.1-r0 |
| Alpine:v3.16 | curl | 7.21.2-r0, 7.23.1-r0, 7.22.0-r0 |
| Alpine:v3.12 | curl | 7.65.3-r0, 7.66.0-r0, 7.68.0-r0 |
| Alpine:v3.21 | curl | 7.50.2-r0, 7.19.2-r1, 7.19.4-r0 |
| Alpine:v3.15 | curl | 7.75.0-r0, 7.19.2-r0, 7.19.2-r1 |
| Alpine:v3.22 | curl | 7.49.1-r0, 7.49.0-r0, 7.48.0-r0 |
| Alpine:v3.17 | curl | 7.20.1-r0, 0, 7.19.2-r0 |
| Alpine:v3.18 | curl | 7.62.0-r0, 7.19.2-r0, 7.19.2-r1 |
| Alpine:v3.14 | curl | 0, 7.75.0-r0, 7.74.0-r0 |
Timeline
- Apr 1, 2021 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch