CVE-2007-5034: Infoleak
First published: Fri Sep 21 2007(Updated: )
ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https.
Credit: security@ubuntu.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| elinks elinks | <=0.11.1 | |
| elinks elinks | <=0.11.2 | |
| eLinks | <=0.11.1 | |
| eLinks | <=0.11.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugzilla.elinks.cz/show_bug.cgi?id=937
- https://bugs.launchpad.net/ubuntu/+source/elinks/+bug/141018
- https://bugzilla.redhat.com/show_bug.cgi?id=297981
- http://www.debian.org/security/2007/dsa-1380
- https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00335.html
- https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00079.html
- http://www.redhat.com/support/errata/RHSA-2007-0933.html
- http://www.ubuntu.com/usn/usn-519-1
- http://www.securityfocus.com/bid/25799
- http://www.securitytracker.com/id?1018764
- http://secunia.com/advisories/26936
- http://secunia.com/advisories/26956
- http://secunia.com/advisories/26949
- http://secunia.com/advisories/27062
- http://secunia.com/advisories/27125
- http://secunia.com/advisories/27132
- http://secunia.com/advisories/27038
- http://www.vupen.com/english/advisories/2007/3278
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10335
- http://www.securityfocus.com/archive/1/481606/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-5034?
CVE-2007-5034 is classified as a moderate severity vulnerability due to the potential exposure of sensitive data.
How do I fix CVE-2007-5034?
To fix CVE-2007-5034, update ELinks to version 0.11.3 or later to ensure HTTPS POST requests do not append sensitive data in cleartext.
What versions of ELinks are affected by CVE-2007-5034?
Versions of ELinks prior to 0.11.3, specifically 0.11.1 and 0.11.2, are affected by CVE-2007-5034.
What type of data can be exposed due to CVE-2007-5034?
CVE-2007-5034 may expose sensitive data from the body and content headers of POST requests sent through a proxy.
Is CVE-2007-5034 related to proxy usage?
Yes, CVE-2007-5034 occurs specifically when ELinks sends POST requests for HTTPS URLs through a proxy.
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- agent/event
- agent/description
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/elinks
- canonical/elinks elinks
- version/elinks elinks/0.11.1
- version/elinks elinks/0.11.2
- canonical/elinks
- version/elinks/0.11.1
- version/elinks/0.11.2