CVE-2021-22876

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 01-04-2021 08:15

Last modified: - 06-04-2022 06:19

Total changes: - 11

Description

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

5.3

Base score

3.9

1.4

Exploitability score

Impact score

Verification logic

vendor=haxx AND product=libcurl AND versionEndIncluding=7.75.0 AND versionStartIncluding=7.1.1

vendor=fedoraproject AND product=fedora AND version=32

vendor=fedoraproject AND product=fedora AND version=33

vendor=fedoraproject AND product=fedora AND version=34

vendor=netapp AND product=hci_management_node AND version=-

vendor=netapp AND product=solidfire AND version=-

vendor=netapp AND product=hci_compute_node AND version=-

vendor=netapp AND product=hci_storage_node AND version=-

vendor=broadcom AND product=fabric_operating_system AND version=-

vendor=Debian AND product=debian_linux AND version=9.0

vendor=siemens AND product=sinec_infrastructure_network_services AND versionEndExcluding=1.0.1.1

vendor=oracle AND product=communications_billing_and_revenue_management AND version=12.0.0.3.0

vendor=oracle AND product=essbase AND version=21.2

Reference

https://curl.se/docs/CVE-2021-22876.html
https://hackerone.com/reports/1101882
FEDORA-2021-cab5c9befb-Mailing List, Third Party Advisory
FEDORA-2021-065371f385-Mailing List, Third Party Advisory
FEDORA-2021-26a293c72b-Mailing List, Third Party Advisory
[debian-lts-announce] 20210517 [SECURITY] [DLA 2664-1] curl security update-Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210521-0007/
GLSA-202105-36-Third Party Advisory
N/A-Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Keywords

CVE-2021-22876

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-22876

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures