CURL-CVE-2021-22890

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2021-22890.html
Import Source
https://curl.se/docs/CURL-CVE-2021-22890.json
JSON Data
https://api.test.osv.dev/v1/vulns/CURL-CVE-2021-22890
Aliases
Published
2021-03-31T08:00:00Z
Modified
2026-05-19T09:30:08.751312041Z
Summary
TLS 1.3 session ticket proxy host mix-up
Details

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

When confusing the tickets, an HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed.

This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl accepts for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

Database specific 
{
    "www": "https://curl.se/docs/CVE-2021-22890.html",
    "affects": "both",
    "package": "curl",
    "issue": "https://hackerone.com/reports/1129529",
    "severity": "Low",
    "CWE": {
        "desc": "Authentication Bypass by Spoofing",
        "id": "CWE-290"
    },
    "last_affected": "7.75.0",
    "URL": "https://curl.se/docs/CVE-2021-22890.json"
}
References
Credits
    • Mingtao Yang (Facebook) - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.63.0
Fixed
7.76.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
549310e907e82e44c59548351d4c6ac4aaada114
Fixed
b09c8ee15771c614c4bf3ddac893cdb12187c844

Affected versions

7.*
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
Other
curl-7_63_0
curl-7_64_0
curl-7_64_1
curl-7_65_0
curl-7_65_1
curl-7_65_2
curl-7_65_3
curl-7_66_0
curl-7_67_0
curl-7_68_0
curl-7_69_0
curl-7_69_1
curl-7_70_0
curl-7_71_0
curl-7_71_1
curl-7_72_0
curl-7_73_0
curl-7_74_0
curl-7_75_0

Database specific

source 
"https://curl.se/docs/CURL-CVE-2021-22890.json"