CVE-2021-22876 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Information disclosure |
| Description | libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto". The issue has existed in libcurl since version 7.1.1 and is fixed in version 7.76.0. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-1758 | lib32-libcurl-gnutls | 7.75.0-1 | 7.76.0-1 | Medium | Fixed | |
| AVG-1757 | libcurl-gnutls | 7.75.0-1 | 7.76.0-1 | Medium | Fixed | |
| AVG-1756 | lib32-libcurl-compat | 7.75.0-1 | 7.76.0-1 | High | Fixed | |
| AVG-1755 | libcurl-compat | 7.75.0-1 | 7.76.0-1 | High | Fixed | |
| AVG-1754 | lib32-curl | 7.75.0-1 | 7.76.0-1 | High | Fixed | |
| AVG-1753 | curl | 7.75.0-1 | 7.76.0-1 | High | Fixed |
| References |
|---|
https://curl.se/docs/CVE-2021-22876.html https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c |
| Notes |
|---|
Workaround ========== The issue can be mitigated by providing the credentials with -u or CURLOPT_USERPWD, or by avoiding ACURLOPT_AUTOREFERER and --referer ";auto". |