Automatic referer leaks credentials
Project curl Security Advisory, March 31st 2021 - Permalink
libcurl does not strip off user credentials from the URL when automatically populating the
Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
libcurl automatically sets the
Referer: HTTP request header field in outgoing HTTP requests if the
CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22876 to this issue.
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
- Affected versions: curl 7.1.1 to and including 7.75.0
- Not affected versions: curl < 7.1.1 and curl >= 7.76.0
- Introduced-in: https://github.com/curl/curl/commit/f30ffef477
Also note that libcurl is used by many applications, and not always advertised as such.
If a provided URL contains credentials, they will be blanked out before the URL is used to populate the header field.
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade libcurl to version 7.76.0
B - Apply the patch to your local version
C - Provide the credentials with
D - Avoid
This issue was reported to the curl project on February 12, 2021.
This advisory was posted on March 31st 2021.
- Reported-by: Viktor Szakats
- Patched-by: Viktor Szakats
Thanks a lot!