{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2015-3236",
  "aliases": [
    "CVE-2015-3236"
  ],
  "summary": "lingering HTTP credentials in connection reuse",
  "modified": "2025-09-27T10:58:29.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2015-3236.json",
    "www": "https://curl.se/docs/CVE-2015-3236.html",
    "CWE": {
      "id": "CWE-305",
      "desc": "Authentication Bypass by Primary Weakness"
    },
    "last_affected": "7.42.1",
    "severity": "High"
  },
  "published": "2015-06-17T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.40.0"},
             {"fixed": "7.43.0"}
           ]
        }      ],
      "versions": [
        "7.42.1", "7.42.0", "7.41.0", "7.40.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Tomas Tomecek",
      "type": "FINDER"
    },
    {
      "name": "Kamil Dudka",
      "type": "FINDER"
    },
    {
      "name": "Kamil Dudka",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl can wrongly send HTTP credentials when reusing connections.\n\nlibcurl allows applications to set credentials for the upcoming transfer with\nHTTP Basic authentication, like with `CURLOPT_USERPWD` for example. Name and\npassword. Just like all other libcurl options the credentials are sticky and\nare kept associated with the \"handle\" until something is made to change the\nsituation.\n\nFurther, libcurl offers a `curl_easy_reset()` function that resets a handle\nback to its pristine state in terms of all settable options. A reset is of\ncourse also supposed to clear the credentials. A reset is typically used to\nclear up the handle and prepare it for a new, possibly unrelated, transfer.\n\nWithin such a handle, libcurl can also store a set of previous connections in\ncase a second transfer is requested to a hostname for which an existing\nconnection is already kept alive.\n\nWith this flaw present, using the handle even after a reset would make libcurl\naccidentally use those credentials in a subsequent request if done to the same\nhostname and connection as was previously accessed.\n\nAn example case would be first requesting a password protected resource from\none section of a website, and then do a second request of a public resource\nfrom a completely different part of the site without authentication. This flaw\nwould then inadvertently leak the credentials in the second request."
}