Code injection

2021-06-1116:15:00

PRIOn knowledge base

www.prio-n.com

5.4 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.1%

JSON

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single “static” variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

CPENameOperatorVersion
curlge7.61.0
curlle7.76.1
communications_cloud_native_core_binding_support_functioneq1.11.0
communications_cloud_native_core_network_function_cloud_native_environmenteq1.10.0
communications_cloud_native_core_network_repository_functioneq1.15.0
communications_cloud_native_core_network_repository_functioneq1.15.1
communications_cloud_native_core_network_slice_selection_functioneq1.8.0
communications_cloud_native_core_service_communication_proxyeq1.15.0
essbasege21.0
essbaselt21.3

Name	Operator	Version
curl	ge	7.61.0
curl	le	7.76.1
communications_cloud_native_core_binding_support_function	eq	1.11.0
communications_cloud_native_core_network_function_cloud_native_environment	eq	1.10.0
communications_cloud_native_core_network_repository_function	eq	1.15.0
communications_cloud_native_core_network_repository_function	eq	1.15.1
communications_cloud_native_core_network_slice_selection_function	eq	1.8.0
communications_cloud_native_core_service_communication_proxy	eq	1.15.0
essbase	ge	21.0
essbase	lt	21.3