CVE-2021-22876
01.04.2021, 18:15
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| haxx | libcurl | 7.1.1 ≤ 𝑥 ≤ 7.75.0 |
| netapp | hci_management_node | - |
| netapp | solidfire | - |
| netapp | hci_compute_node | - |
| netapp | hci_storage_node | - |
| broadcom | fabric_operating_system | - |
| debian | debian_linux | 9.0 |
| siemens | sinec_infrastructure_network_services | 𝑥 < 1.0.1.1 |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | essbase | 21.2 |
| splunk | universal_forwarder | 8.2.0 ≤ 𝑥 < 8.2.12 |
| splunk | universal_forwarder | 9.0.0 ≤ 𝑥 < 9.0.6 |
| splunk | universal_forwarder | 9.1.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| curl |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| libcurl-devel |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| libcurl4 |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| libcurl4-32bit |
|
Red Hat Enterprise Linux Releases
Common Weakness Enumeration
- CWE-359 - Exposure of Private Personal Information to an Unauthorized ActorThe product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
References