Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / Credential leak on redirect
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 2400 USD

CVE-2022-27774

Credential leak on redirect

Project curl Security Advisory, April 27th 2022 - Permalink

VULNERABILITY

curl follows HTTP(S) redirects when asked to. curl also supports authentication. When a user and password are provided for a URL with a given hostname, curl makes an effort to not pass on those credentials to other hosts in redirects unless given permission with a special option.

This "same host check" has been flawed all since it was introduced. It does not work on cross protocol redirects and it does not consider different port numbers to be separate hosts. This leads to curl leaking credentials to other servers when it follows redirects from auth protected HTTP(S) URLs to other protocols and port numbers. It could also leak the TLS SRP credentials this way.

By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports.

INFO

This flaw was added in curl 4.9 with the introduction of --location and has been present in all libcurl versions ever released. In July 2000 in the curl 7.1.1 release, this commit was the first version that attempted to avoid this, but the check has been bad since then.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-27774 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Medium

AFFECTED VERSIONS

Note that libcurl is used by many applications, but not always advertised as such.

SOLUTION

There are two separate patches to apply for CVE-2022-27774: the main one and the SRP follow-up.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 7.83.0

B - Apply the patches to your version and rebuild

C - Switch off curl's automatic redirect following

TIMELINE

It was first reported to the curl project on April 18 2022. We contacted distros@openwall on April 19.

libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!