CVE-2021-22876

Automatic referer leaks credentials

Project curl Security Advisory, March 31st 2021 - Permalink

VULNERABILITY

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22876 to this issue.

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Severity: Low

AFFECTED VERSIONS

• Affected versions: curl 7.1.1 to and including 7.75.0
• Not affected versions: curl < 7.1.1 and curl >= 7.76.0
• Introduced-in: https://github.com/curl/curl/commit/f30ffef477

Also note that libcurl is used by many applications, and not always advertised as such.

SOLUTION

If a provided URL contains credentials, they will be blanked out before the URL is used to populate the header field.

• Fixed-in: https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade libcurl to version 7.76.0

B - Apply the patch to your local version

C - Provide the credentials with -u or CURLOPT_USERPWD

D - Avoid CURLOPT_AUTOREFERER and --referer ";auto",

TIMELINE

This issue was reported to the curl project on February 12, 2021.

This advisory was posted on March 31st 2021.

CREDITS

• Reported-by: Viktor Szakats
• Patched-by: Viktor Szakats

Thanks a lot!