CVE-2021-22876 Information
Description
curl 7.1.1 to and including 7.75.0 is vulnerable to an \Exposure of Private Personal Information to an Unauthorized Actor\ by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
https://curl.se/docs/CVE-2021-22876.html
https://curl.se/docs/CVE-2021-22876.html
https://hackerone.com/reports/1101882
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/
https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html
[debian-lts-announce]
20210517
[SECURITY]
[DLA
2664-1]
curl
security
update
https://security.netapp.com/advisory/ntap-20210521-0007/
https://security.gentoo.org/glsa/202105-36
https://www.oracle.com//security-alerts/cpujul2021.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
curl
7.1.1
to
and
including
7.75.0
is
vulnerable
to
an
\Exposure
of
Private
Personal
Information
to
an
Unauthorized
Actor
by
leaking
credentials
in
the
HTTP
Referer:
header.
libcurl
does
not
strip
off
user
credentials
from
the
URL
when
automatically
populating
the
Referer:
HTTP
request
header
field
in
outgoing
HTTP
requests
and
therefore
risks
leaking
sensitive
data
to
the
server
that
is
the
target
of
the
second
HTTP
request.
cpe:2.3:a:haxx:libcurl::::::::
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.3
Share on: