Daniel Stenberg via curl-users
2021-03-31 06:01:59 UTC
Automatic referer leaks credentials
===================================
Project curl Security Advisory, March 31st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22876.html)
VULNERABILITY
-------------
libcurl does not strip off user credentials from the URL when automatically
populating the `Referer:` HTTP request header field in outgoing HTTP requests,
and therefore risks leaking sensitive data to the server that is the target of
the second HTTP request.
libcurl automatically sets the `Referer:` HTTP request header field in
outgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the
curl tool, it is enabled with `--referer ";auto"`.
We are not aware of any exploit of this flaw.
INFO
----
This flaw has existed in libcurl since commit
[f30ffef477](https://github.com/curl/curl/commit/f30ffef477) in libcurl 7.1.1,
released on August 21, 2000.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22876 to this issue.
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Severity: Low
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.1.1 to and including 7.75.0
- Not affected versions: curl < 7.1.1 and curl >= 7.76.0
Also note that libcurl is used by many applications, and not always
advertised as such.
THE SOLUTION
------------
If a provided URL contains credentials, they will be blanked out before the
URL is used to populate the header field.
A [fix for CVE-2021-22876](https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c)
(The patch URL will change in the final published version of this advisory)
RECOMMENDATIONS
--------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade libcurl to version 7.76.0
B - Apply the patch to your local version
C - Provide the credentials with `-u` or `CURLOPT_USERPWD`
D - Avoid `CURLOPT_AUTOREFERER` and `--referer ";auto"`,
TIMELINE
--------
This issue was reported to the curl project on February 12, 2021.
This advisory was posted on March 31st 2021.
CREDITS
-------
This issue was reported and patched by Viktor Szakats.
Thanks a lot!
===================================
Project curl Security Advisory, March 31st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22876.html)
VULNERABILITY
-------------
libcurl does not strip off user credentials from the URL when automatically
populating the `Referer:` HTTP request header field in outgoing HTTP requests,
and therefore risks leaking sensitive data to the server that is the target of
the second HTTP request.
libcurl automatically sets the `Referer:` HTTP request header field in
outgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the
curl tool, it is enabled with `--referer ";auto"`.
We are not aware of any exploit of this flaw.
INFO
----
This flaw has existed in libcurl since commit
[f30ffef477](https://github.com/curl/curl/commit/f30ffef477) in libcurl 7.1.1,
released on August 21, 2000.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22876 to this issue.
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Severity: Low
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.1.1 to and including 7.75.0
- Not affected versions: curl < 7.1.1 and curl >= 7.76.0
Also note that libcurl is used by many applications, and not always
advertised as such.
THE SOLUTION
------------
If a provided URL contains credentials, they will be blanked out before the
URL is used to populate the header field.
A [fix for CVE-2021-22876](https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c)
(The patch URL will change in the final published version of this advisory)
RECOMMENDATIONS
--------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade libcurl to version 7.76.0
B - Apply the patch to your local version
C - Provide the credentials with `-u` or `CURLOPT_USERPWD`
D - Avoid `CURLOPT_AUTOREFERER` and `--referer ";auto"`,
TIMELINE
--------
This issue was reported to the curl project on February 12, 2021.
This advisory was posted on March 31st 2021.
CREDITS
-------
This issue was reported and patched by Viktor Szakats.
Thanks a lot!
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://cu
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://cu