Bugzilla – Bug 1183933
VUL-0: CVE-2021-22876: curl: Automatic referer leaks credentials
Last modified: 2024-03-12 15:51:02 UTC
via oss-security: Automatic referer leaks credentials =================================== Project curl Security Advisory, March 31st 2021 - [Permalink](https://curl.se/docs/CVE-2021-22876.html) VULNERABILITY ------------- libcurl does not strip off user credentials from the URL when automatically populating the `Referer:` HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl automatically sets the `Referer:` HTTP request header field in outgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the curl tool, it is enabled with `--referer ";auto"`. We are not aware of any exploit of this flaw. INFO ---- This flaw has existed in libcurl since commit [f30ffef477](https://github.com/curl/curl/commit/f30ffef477) in libcurl 7.1.1, released on August 21, 2000. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22876 to this issue. CWE-359: Exposure of Private Personal Information to an Unauthorized Actor Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.1.1 to and including 7.75.0 - Not affected versions: curl < 7.1.1 and curl >= 7.76.0 Also note that libcurl is used by many applications, and not always advertised as such. THE SOLUTION ------------ If a provided URL contains credentials, they will be blanked out before the URL is used to populate the header field. A [fix for CVE-2021-22876](https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c) (The patch URL will change in the final published version of this advisory) RECOMMENDATIONS -------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade libcurl to version 7.76.0 B - Apply the patch to your local version C - Provide the credentials with `-u` or `CURLOPT_USERPWD` D - Avoid `CURLOPT_AUTOREFERER` and `--referer ";auto"`, TIMELINE -------- This issue was reported to the curl project on February 12, 2021. This advisory was posted on March 31st 2021. CREDITS ------- This issue was reported and patched by Viktor Szakats. Thanks a lot!
Submitted to Factory here: https://build.opensuse.org/request/show/882316
SUSE-SU-2021:1006-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1183933,1183934 CVE References: CVE-2021-22876,CVE-2021-22890 JIRA References: Sources used: SUSE MicroOS 5.0 (src): curl-7.66.0-4.14.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): curl-7.66.0-4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0510-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1183933,1183934 CVE References: CVE-2021-22876,CVE-2021-22890 JIRA References: Sources used: openSUSE Leap 15.2 (src): curl-7.66.0-lp152.3.15.1, curl-mini-7.66.0-lp152.3.15.1
Created attachment 848622 [details] URL-API patch for SLE-15_Update I have ported the URL-API commit to SLE-15_Update: https://github.com/curl/curl/commit/fb30ac5a2d63773c529c19259754e2b306ac2e2e This is an internal function only used for the purpose of manipulating the URL to remove the credentials from the auto-referer header in transfer.c:Curl_follow(). No API/ABI breakage possible and all the regression tests pass.
SUSE-SU-2021:14707-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1183933 CVE References: CVE-2021-22876 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): curl-openssl1-7.37.0-70.60.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1396-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1183933 CVE References: CVE-2021-22876 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): curl-7.60.0-11.15.1 SUSE Linux Enterprise Server 12-SP5 (src): curl-7.60.0-11.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1786-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1175109,1177976,1179398,1179399,1179593,1183933,1186114 CVE References: CVE-2020-8231,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286,CVE-2021-22876,CVE-2021-22898 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): curl-7.60.0-4.20.1 SUSE OpenStack Cloud 9 (src): curl-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): curl-7.60.0-4.20.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): curl-7.60.0-4.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1809-1: An update that solves two vulnerabilities, contains one feature and has one errata is now available. Category: security (moderate) Bug References: 1177976,1183933,1186114 CVE References: CVE-2021-22876,CVE-2021-22898 JIRA References: SLE-13843 Sources used: SUSE Manager Server 4.0 (src): curl-7.60.0-3.42.1 SUSE Manager Retail Branch Server 4.0 (src): curl-7.60.0-3.42.1 SUSE Manager Proxy 4.0 (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise Server for SAP 15 (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise Server 15-LTSS (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): curl-7.60.0-3.42.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): curl-7.60.0-3.42.1 SUSE Enterprise Storage 6 (src): curl-7.60.0-3.42.1 SUSE CaaS Platform 4.0 (src): curl-7.60.0-3.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
reelased