Описание
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.
Меры по смягчению последствий
This issue can be avoided by using at least one of the following recommendations:
- Do not enable automatic generation of Referer headers when redirects are followed. This functionality is not enabled by default. In the curl command line tool, it is enabled using the -e ';auto' or --referer ';auto' command line options. In the libcurl library, it is enabled using the CURLOPT_AUTOREFERER option.
- Do not include authentication credentials in URLs (in the form of https://username:password@example.com), use other methods to provide authentication credentials to curl / libcurl. For the curl command line tool, use -u or --user command line option. For the libcurl library, use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| .NET Core 2.1 on Red Hat Enterprise Linux | rh-dotnet21-curl | Will not fix | ||
| Red Hat Ceph Storage 2 | curl | Out of support scope | ||
| Red Hat Enterprise Linux 6 | curl | Out of support scope | ||
| Red Hat Enterprise Linux 7 | curl | Out of support scope | ||
| Red Hat Enterprise Linux 9 | curl | Not affected | ||
| Red Hat Software Collections | httpd24-curl | Will not fix | ||
| JBoss Core Services Apache HTTP Server 2.4.37 SP8 | curl | Fixed | RHSA-2021:2471 | 17.06.2021 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24 | Fixed | RHSA-2021:2472 | 17.06.2021 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-apr | Fixed | RHSA-2021:2472 | 17.06.2021 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-apr-util | Fixed | RHSA-2021:2472 | 17.06.2021 |
Показывать по
Дополнительная информация
Статус:
3.7 Low
CVSS3
Связанные уязвимости
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Pr ...
3.7 Low
CVSS3