curl / Docs / curl CVEs / Automatic referer leaks credentials
Awarded 800 USD

CVE-2021-22876

Automatic referer leaks credentials

Project curl Security Advisory, March 31st 2021 - Permalink

VULNERABILITY

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22876 to this issue.

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Severity: Low

AFFECTED VERSIONS

Also note that libcurl is used by many applications, and not always advertised as such.

SOLUTION

If a provided URL contains credentials, they are blanked out before the URL is used to populate the header field.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade libcurl to version 7.76.0

B - Apply the patch to your local version

C - Provide the credentials with -u or CURLOPT_USERPWD

D - Avoid CURLOPT_AUTOREFERER and --referer ";auto",

TIMELINE

This issue was reported to the curl project on February 12, 2021.

This advisory was posted on March 31st 2021.

CREDITS

Thanks a lot!