CVE-2021-22876

CVE-2021-22876

Name

CVE-2021-22876

Description

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://curl.se/docs/CVE-2021-22876.html
Permissions Required	https://hackerone.com/reports/1101882
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/
MLIST	https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html
Third Party Advisory	https://security.netapp.com/advisory/ntap-20210521-0007/
Third Party Advisory	https://security.gentoo.org/glsa/202105-36
N/A	https://www.oracle.com//security-alerts/cpujul2021.html
Patch	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/

Type

URI

Patch

https://curl.se/docs/CVE-2021-22876.html

Permissions Required

https://hackerone.com/reports/1101882

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/

MLIST

https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210521-0007/

Third Party Advisory

https://security.gentoo.org/glsa/202105-36

N/A

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:haxx:libcurl::::::::`	libcurl	>= 7.1.1	<= 7.75.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

libcurl

>= 7.1.1

<= 7.75.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
curl	edge-main	7.76.0-r0	None	fixed
curl	3.22-main	7.76.0-r0	None	fixed
curl	3.21-main	7.76.0-r0	None	fixed
curl	3.20-main	7.76.0-r0	None	fixed
curl	3.19-main	7.76.0-r0	None	fixed
curl	3.18-main	7.76.0-r0	None	fixed
curl	3.17-main	7.76.0-r0	None	fixed
curl	3.12-main	7.76.0-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

curl

edge-main

7.76.0-r0

None

fixed

curl

3.22-main