5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.009 Low
EPSS
Percentile
83.1%
Issue Overview:
It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. (CVE-2021-22876)
A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22898)
Affected Packages:
curl
Issue Correction:
Run yum update curl to update your system.
New Packages:
i686:
curl-debuginfo-7.61.1-12.98.amzn1.i686
libcurl-devel-7.61.1-12.98.amzn1.i686
curl-7.61.1-12.98.amzn1.i686
libcurl-7.61.1-12.98.amzn1.i686
src:
curl-7.61.1-12.98.amzn1.src
x86_64:
curl-debuginfo-7.61.1-12.98.amzn1.x86_64
libcurl-7.61.1-12.98.amzn1.x86_64
libcurl-devel-7.61.1-12.98.amzn1.x86_64
curl-7.61.1-12.98.amzn1.x86_64
Red Hat: CVE-2021-22876, CVE-2021-22898
Mitre: CVE-2021-22876, CVE-2021-22898
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | curl-debuginfo | < 7.61.1-12.98.amzn1 | curl-debuginfo-7.61.1-12.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | libcurl-devel | < 7.61.1-12.98.amzn1 | libcurl-devel-7.61.1-12.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | curl | < 7.61.1-12.98.amzn1 | curl-7.61.1-12.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | libcurl | < 7.61.1-12.98.amzn1 | libcurl-7.61.1-12.98.amzn1.i686.rpm |
Amazon Linux | 1 | x86_64 | curl-debuginfo | < 7.61.1-12.98.amzn1 | curl-debuginfo-7.61.1-12.98.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | libcurl | < 7.61.1-12.98.amzn1 | libcurl-7.61.1-12.98.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | libcurl-devel | < 7.61.1-12.98.amzn1 | libcurl-devel-7.61.1-12.98.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | curl | < 7.61.1-12.98.amzn1 | curl-7.61.1-12.98.amzn1.x86_64.rpm |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.009 Low
EPSS
Percentile
83.1%