| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Information disclosure |
|
| Description |
| + |
libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. |
| + |
|
| + |
libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto". |
| + |
|
| + |
The issue has existed in libcurl since version 7.1.1 and is fixed in version 7.76.0. |
|
| References |
| + |
https://curl.se/docs/CVE-2021-22876.html |
| + |
https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
The issue can be mitigated by providing the credentials with -u or CURLOPT_USERPWD, or by avoiding ACURLOPT_AUTOREFERER and --referer ";auto". |
|