libcurl lets applictions specify which specific TLS ciphers to use in transfers, using the option called CURLOPT_SSL_CIPHER_LIST. The cipher selection is used for the TLS negotation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. Due to a mistake in the code, the selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
Upstream advisory: https://curl.se/docs/CVE-2021-22897.html Upstream commit: https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511
This issue does not affect the curl packages as shipped in Red Hat products, as it only affects curl versions build to use schannel library as its TLS backend. The schannel is the native TLS library in Microsoft Windows.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22897
HackerOne report: https://hackerone.com/reports/1172857