VDB
ALPINE-CVE-2021-22897
ALPINE-CVE-2021-22897
PUBLISHED
CVSS 5.300000190734863 MEDIUM
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.14 | curl | 0, 0, 0 |
| Alpine:v3.19 | curl | 0, 0, 0 |
| Alpine:v3.11 | curl | 0, 0, 0 |
| Alpine:v3.15 | curl | 0, 0, 0 |
| Alpine:v3.16 | curl | 0, 0, 0 |
| Alpine:v3.18 | curl | 0, 0, 0 |
| Alpine:v3.20 | curl | 0, 0, 0 |
| Alpine:v3.12 | curl | 0, 0, 0 |
| Alpine:v3.13 | curl | 0, 0, 0 |
| Alpine:v3.23 | curl | 0, 0, 0 |
| Alpine:v3.21 | curl | 0, 0, 0 |
| Alpine:v3.22 | curl | 0, 0, 0 |
| Alpine:v3.17 | curl | 0, 0, 0 |
Timeline
- Jun 11, 2021 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch