CVE-2021-22876 log

Severity Medium
Remote Yes
Type Information disclosure
libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".

The issue has existed in libcurl since version 7.1.1 and is fixed in version 7.76.0.
Group Package Affected Fixed Severity Status Ticket
AVG-1758 lib32-libcurl-gnutls 7.75.0-1 7.76.0-1 Medium Fixed
AVG-1757 libcurl-gnutls 7.75.0-1 7.76.0-1 Medium Fixed
AVG-1756 lib32-libcurl-compat 7.75.0-1 7.76.0-1 High Fixed
AVG-1755 libcurl-compat 7.75.0-1 7.76.0-1 High Fixed
AVG-1754 lib32-curl 7.75.0-1 7.76.0-1 High Fixed
AVG-1753 curl 7.75.0-1 7.76.0-1 High Fixed

The issue can be mitigated by providing the credentials with -u or CURLOPT_USERPWD, or by avoiding ACURLOPT_AUTOREFERER and --referer ";auto".