curl / Docs / Security Problems / Automatic referer leaks credentials

Automatic referer leaks credentials

Project curl Security Advisory, March 31st 2021 - Permalink

VULNERABILITY

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".

We are not aware of any exploit of this flaw.

INFO

This flaw has existed in libcurl since commit f30ffef477 in libcurl 7.1.1, released on August 21, 2000.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22876 to this issue.

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Severity: Low

AFFECTED VERSIONS

Also note that libcurl is used by many applications, and not always advertised as such.

THE SOLUTION

If a provided URL contains credentials, they will be blanked out before the URL is used to populate the header field.

A fix for CVE-2021-22876

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade libcurl to version 7.76.0

B - Apply the patch to your local version

C - Provide the credentials with -u or CURLOPT_USERPWD

D - Avoid CURLOPT_AUTOREFERER and --referer ";auto",

TIMELINE

This issue was reported to the curl project on February 12, 2021.

This advisory was posted on March 31st 2021.

CREDITS

This issue was reported and patched by Viktor Szakats.

Thanks a lot!