Bug 1183933 - (CVE-2021-22876) VUL-0: CVE-2021-22876: curl: Automatic referer leaks credentials
(CVE-2021-22876)
VUL-0: CVE-2021-22876: curl: Automatic referer leaks credentials
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/280319
CVSSv3.1:SUSE:CVE-2021-22876:6.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-23 17:57 UTC by Robert Frohl
Modified: 2021-10-04 14:36 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
URL-API patch for SLE-15_Update (50.29 KB, patch)
2021-04-21 18:19 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 13 Robert Frohl 2021-03-31 09:27:31 UTC
via oss-security:

Automatic referer leaks credentials
===================================

Project curl Security Advisory, March 31st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22876.html)

VULNERABILITY
-------------

libcurl does not strip off user credentials from the URL when automatically
populating the `Referer:` HTTP request header field in outgoing HTTP requests,
and therefore risks leaking sensitive data to the server that is the target of
the second HTTP request.

libcurl automatically sets the `Referer:` HTTP request header field in
outgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the
curl tool, it is enabled with `--referer ";auto"`.

We are not aware of any exploit of this flaw.

INFO
----

This flaw has existed in libcurl since commit
[f30ffef477](https://github.com/curl/curl/commit/f30ffef477) in libcurl 7.1.1,
released on August 21, 2000.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-22876 to this issue.

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.1.1 to and including 7.75.0
- Not affected versions: curl < 7.1.1 and curl >= 7.76.0

Also note that libcurl is used by many applications, and not always
advertised as such.

THE SOLUTION
------------

If a provided URL contains credentials, they will be blanked out before the
URL is used to populate the header field.

A [fix for CVE-2021-22876](https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c)

(The patch URL will change in the final published version of this advisory)

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade libcurl to version 7.76.0

 B - Apply the patch to your local version

 C - Provide the credentials with `-u` or `CURLOPT_USERPWD`

 D - Avoid `CURLOPT_AUTOREFERER` and `--referer ";auto"`,

TIMELINE
--------

This issue was reported to the curl project on February 12, 2021.

This advisory was posted on March 31st 2021.

CREDITS
-------

This issue was reported and patched by Viktor Szakats.

Thanks a lot!
Comment 14 Pedro Monreal Gonzalez 2021-03-31 10:08:33 UTC
Submitted to Factory here:
   https://build.opensuse.org/request/show/882316
Comment 16 Swamp Workflow Management 2021-04-01 19:16:58 UTC
SUSE-SU-2021:1006-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1183933,1183934
CVE References: CVE-2021-22876,CVE-2021-22890
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    curl-7.66.0-4.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    curl-7.66.0-4.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-04-05 01:16:44 UTC
openSUSE-SU-2021:0510-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1183933,1183934
CVE References: CVE-2021-22876,CVE-2021-22890
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    curl-7.66.0-lp152.3.15.1, curl-mini-7.66.0-lp152.3.15.1
Comment 19 Pedro Monreal Gonzalez 2021-04-21 18:19:12 UTC
Created attachment 848622 [details]
URL-API patch for SLE-15_Update

I have ported the URL-API commit to SLE-15_Update:
   https://github.com/curl/curl/commit/fb30ac5a2d63773c529c19259754e2b306ac2e2e

This is an internal function only used for the purpose of manipulating the URL to remove the credentials from the auto-referer header in transfer.c:Curl_follow(). No API/ABI breakage possible and all the regression tests pass.
Comment 23 Swamp Workflow Management 2021-04-28 13:20:58 UTC
SUSE-SU-2021:14707-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1183933
CVE References: CVE-2021-22876
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.37.0-70.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2021-04-28 13:28:40 UTC
SUSE-SU-2021:1396-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1183933
CVE References: CVE-2021-22876
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    curl-7.60.0-11.15.1
SUSE Linux Enterprise Server 12-SP5 (src):    curl-7.60.0-11.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2021-05-27 19:29:26 UTC
SUSE-SU-2021:1786-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1175109,1177976,1179398,1179399,1179593,1183933,1186114
CVE References: CVE-2020-8231,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286,CVE-2021-22876,CVE-2021-22898
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    curl-7.60.0-4.20.1
SUSE OpenStack Cloud 9 (src):    curl-7.60.0-4.20.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    curl-7.60.0-4.20.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    curl-7.60.0-4.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2021-05-31 19:16:25 UTC
SUSE-SU-2021:1809-1: An update that solves two vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1177976,1183933,1186114
CVE References: CVE-2021-22876,CVE-2021-22898
JIRA References: SLE-13843
Sources used:
SUSE Manager Server 4.0 (src):    curl-7.60.0-3.42.1
SUSE Manager Retail Branch Server 4.0 (src):    curl-7.60.0-3.42.1
SUSE Manager Proxy 4.0 (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise Server for SAP 15 (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise Server 15-LTSS (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    curl-7.60.0-3.42.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    curl-7.60.0-3.42.1
SUSE Enterprise Storage 6 (src):    curl-7.60.0-3.42.1
SUSE CaaS Platform 4.0 (src):    curl-7.60.0-3.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Marcus Meissner 2021-08-09 12:51:43 UTC
reelased