oss-sec mailing list archives
[SECURITY ADVISORY] curl: Automatic referer leaks credentials
From: Daniel Stenberg <daniel () haxx se>
Date: Wed, 31 Mar 2021 08:01:59 +0200 (CEST)
Automatic referer leaks credentials =================================== Project curl Security Advisory, March 31st 2021 - [Permalink](https://curl.se/docs/CVE-2021-22876.html) VULNERABILITY ------------- libcurl does not strip off user credentials from the URL when automatically populating the `Referer:` HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl automatically sets the `Referer:` HTTP request header field in outgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the curl tool, it is enabled with `--referer ";auto"`. We are not aware of any exploit of this flaw. INFO ---- This flaw has existed in libcurl since commit [f30ffef477](https://github.com/curl/curl/commit/f30ffef477) in libcurl 7.1.1, released on August 21, 2000. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22876 to this issue. CWE-359: Exposure of Private Personal Information to an Unauthorized Actor Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.1.1 to and including 7.75.0 - Not affected versions: curl < 7.1.1 and curl >= 7.76.0 Also note that libcurl is used by many applications, and not always advertised as such. THE SOLUTION ------------ If a provided URL contains credentials, they will be blanked out before the URL is used to populate the header field. A [fix for CVE-2021-22876](https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c) (The patch URL will change in the final published version of this advisory) RECOMMENDATIONS -------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade libcurl to version 7.76.0 B - Apply the patch to your local version C - Provide the credentials with `-u` or `CURLOPT_USERPWD` D - Avoid `CURLOPT_AUTOREFERER` and `--referer ";auto"`, TIMELINE -------- This issue was reported to the curl project on February 12, 2021. This advisory was posted on March 31st 2021. CREDITS ------- This issue was reported and patched by Viktor Szakats. Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/
Current thread:
- [SECURITY ADVISORY] curl: Automatic referer leaks credentials Daniel Stenberg (Mar 30)