Lucene search

HackeroneCVE-2021-22876

HistoryApr 01, 2021 - 6:15 p.m.

CVE-2021-22876

2021-04-0118:15:12

CWE-359

CWE-200

hackerone

web.nvd.nist.gov

359

cve-2021-22876

curl

vulnerability

leakage

credentials

http referer

libcurl

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.009

Percentile

83.0%

JSON

curl 7.1.1 to and including 7.75.0 is vulnerable to an “Exposure of Private Personal Information to an Unauthorized Actor” by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Affected configurations

Nvd

Vulners

Node

haxxlibcurlRange7.1.1–7.75.0

Node

fedoraprojectfedoraMatch32

fedoraprojectfedoraMatch33

fedoraprojectfedoraMatch34

Node

netapphci_management_nodeMatch-

netappsolidfireMatch-

netapphci_compute_nodeMatch-

netapphci_storage_nodeMatch-

Node

broadcomfabric_operating_systemMatch-

Node

debiandebian_linuxMatch9.0

Node

siemenssinec_infrastructure_network_servicesRange<1.0.1.1

Node

oraclecommunications_billing_and_revenue_managementMatch12.0.0.3.0

oracleessbaseMatch21.2

Node

splunkuniversal_forwarderRange8.2.0–8.2.12

splunkuniversal_forwarderRange9.0.0–9.0.6

splunkuniversal_forwarderMatch9.1.0

VendorProductVersionCPE
haxxlibcurl*cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
fedoraprojectfedora32cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
fedoraprojectfedora33cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
netapphci_management_node-cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
netappsolidfire-cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
netapphci_compute_node-cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
netapphci_storage_node-cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*
broadcomfabric_operating_system-cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
haxx	libcurl	*	cpe:2.3:a:haxx:libcurl::::::::
fedoraproject	fedora	32	cpe:2.3:o:fedoraproject:fedora:32:::::::*
fedoraproject	fedora	33	cpe:2.3:o:fedoraproject:fedora:33:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
netapp	hci_management_node	-	cpe:2.3:a:netapp:hci_management_node:-:::::::*
netapp	solidfire	-	cpe:2.3:a:netapp:solidfire:-:::::::*
netapp	hci_compute_node	-	cpe:2.3:h:netapp:hci_compute_node:-:::::::*
netapp	hci_storage_node	-	cpe:2.3:h:netapp:hci_storage_node:-:::::::*
broadcom	fabric_operating_system	-	cpe:2.3:o:broadcom:fabric_operating_system:-:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Rows per page:

1-10 of 151

CNA Affected

[
  {
    "product": "https://github.com/curl/curl",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "7.1.1 to and including 7.75.0"
      }
    ]
  }
]