Описание
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom Authorization: headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities.
Отчет
This issue affects the versions of curl as shipped with Red Hat Enterprise Linux 5, 6, and 7, as well as the versions of httpd24-curl as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Меры по смягчению последствий
By default, curl and libcurl will not follow redirect requests. This flaw happens only when curl or libcurl are explicitly requested to follow redirects (option --location in curl, and CURLOPT_FOLLOWLOCATION in libcurl). To mitigate this, it is possible to prevent the automated following of redirects, replacing it by manual redirects (and remove the authentication header), for example.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| .NET Core 1.0 on Red Hat Enterprise Linux | rh-dotnetcore10-curl | Out of support scope | ||
| .NET Core 1.1 on Red Hat Enterprise Linux | rh-dotnetcore11-curl | Out of support scope | ||
| .NET Core 2.0 on Red Hat Enterprise Linux | rh-dotnet20-curl | Out of support scope | ||
| .NET Core 2.1 on Red Hat Enterprise Linux | rh-dotnet21-curl | Will not fix | ||
| Red Hat Ceph Storage 2 | curl | Not affected | ||
| Red Hat Enterprise Linux 5 | curl | Out of support scope | ||
| Red Hat Enterprise Linux 6 | curl | Out of support scope | ||
| JBoss Core Services Apache HTTP Server 2.4.29 SP2 | jbcs-httpd24-curl | Fixed | RHSA-2019:1543 | 18.06.2019 |
| Red Hat Enterprise Linux 7 | curl | Fixed | RHSA-2018:3157 | 30.10.2018 |
| Red Hat Enterprise Linux 7 | nss-pem | Fixed | RHSA-2018:3157 | 30.10.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
libcurl 7.1 through 7.57.0 might accidentally leak authentication data ...
EPSS
6.5 Medium
CVSS3