CVE-2018-1000007
First published: Mon Jan 22 2018(Updated: )
It was found that libcurl might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. This bug has existed since before curl 6.0.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Haxx Curl | >=7.1<=7.57.0 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =17.10 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.4 | |
| Redhat Enterprise Linux Server Eus | =7.4 | |
| Redhat Enterprise Linux Server Eus | =7.5 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Fujitsu M10-1 Firmware | <xcp2361 | |
| Fujitsu M10-1 | ||
| Fujitsu M10-4 Firmware | <xcp2361 | |
| Fujitsu M10-4 | ||
| Fujitsu M10-4s Firmware | <xcp2361 | |
| Fujitsu M10-4s | ||
| Fujitsu M12-1 Firmware | <xcp2361 | |
| Fujitsu M12-1 | ||
| Fujitsu M12-2 Firmware | <xcp2361 | |
| Fujitsu M12-2 | ||
| Fujitsu M12-2s Firmware | <xcp2361 | |
| Fujitsu M12-2s | ||
| Fujitsu M10-1 Firmware | <xcp3070 | |
| Fujitsu M10-4 Firmware | <xcp3070 | |
| Fujitsu M10-4s Firmware | <xcp3070 | |
| Fujitsu M12-1 Firmware | <xcp3070 | |
| Fujitsu M12-2 Firmware | <xcp3070 | |
| Fujitsu M12-2s Firmware | <xcp3070 | |
| All of | ||
| Fujitsu M10-1 Firmware | <xcp2361 | |
| Fujitsu M10-1 | ||
| All of | ||
| Fujitsu M10-4 Firmware | <xcp2361 | |
| Fujitsu M10-4 | ||
| All of | ||
| Fujitsu M10-4s Firmware | <xcp2361 | |
| Fujitsu M10-4s | ||
| All of | ||
| Fujitsu M12-1 Firmware | <xcp2361 | |
| Fujitsu M12-1 | ||
| All of | ||
| Fujitsu M12-2 Firmware | <xcp2361 | |
| Fujitsu M12-2 | ||
| All of | ||
| Fujitsu M12-2s Firmware | <xcp2361 | |
| Fujitsu M12-2s | ||
| All of | ||
| Fujitsu M10-1 Firmware | <xcp3070 | |
| Fujitsu M10-1 | ||
| All of | ||
| Fujitsu M10-4 Firmware | <xcp3070 | |
| Fujitsu M10-4 | ||
| All of | ||
| Fujitsu M10-4s Firmware | <xcp3070 | |
| Fujitsu M10-4s | ||
| All of | ||
| Fujitsu M12-1 Firmware | <xcp3070 | |
| Fujitsu M12-1 | ||
| All of | ||
| Fujitsu M12-2 Firmware | <xcp3070 | |
| Fujitsu M12-2 | ||
| All of | ||
| Fujitsu M12-2s Firmware | <xcp3070 | |
| Fujitsu M12-2s | ||
| redhat/curl | <7.58.0 | 7.58.0 |
| debian/curl | 7.74.0-1.3+deb11u13 7.74.0-1.3+deb11u14 7.88.1-10+deb12u8 7.88.1-10+deb12u5 8.11.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2022/04/27/4
- http://www.securitytracker.com/id/1040274
- https://access.redhat.com/errata/RHBA-2019:0327
- https://access.redhat.com/errata/RHSA-2018:3157
- https://access.redhat.com/errata/RHSA-2018:3558
- https://access.redhat.com/errata/RHSA-2019:1543
- https://access.redhat.com/errata/RHSA-2020:0544
- https://access.redhat.com/errata/RHSA-2020:0594
- https://curl.haxx.se/docs/adv_2018-b3bf.html
- https://lists.debian.org/debian-lts-announce/2018/01/msg00038.html
- https://usn.ubuntu.com/3554-1/
- https://usn.ubuntu.com/3554-2/
- https://www.debian.org/security/2018/dsa-4098
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://launchpad.net/bugs/cve/CVE-2018-1000007
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1384445&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1384445&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1537968
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1537966
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1537967
- https://curl.haxx.se/libcurl/c/CURLOPT_FOLLOWLOCATION.html
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi?id=1537125
- https://github.com/curl/curl/commit/af32cd3859336ab.patch
- https://security-tracker.debian.org/tracker/CVE-2018-1000007
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000007
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000007
- https://ubuntu.com/security/CVE-2018-1000007
Frequently Asked Questions
What is the severity of CVE-2018-1000007?
The severity of CVE-2018-1000007 is critical (9.8).
How does CVE-2018-1000007 accidentally leak authentication data?
CVE-2018-1000007 accidentally leaks authentication data when libcurl is asked to send custom headers and follows redirects.
Which versions of libcurl are affected by CVE-2018-1000007?
Versions 7.1 through 7.57.0 of libcurl are affected by CVE-2018-1000007.
How do I fix CVE-2018-1000007?
To fix CVE-2018-1000007, update libcurl to version 7.58.0 or higher.
Where can I find more information about CVE-2018-1000007?
You can find more information about CVE-2018-1000007 at the following references: [link1](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1384445&action=diff), [link2](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1384445&action=edit), [link3](https://curl.haxx.se/docs/adv_2018-b3bf.html).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1000007
- agent/description
- agent/references
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/7.1
- version/haxx curl/7.57.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/17.10
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.4
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.4
- version/redhat enterprise linux server eus/7.5
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/fujitsu
- canonical/fujitsu m10-1 firmware
- canonical/fujitsu m10-1
- canonical/fujitsu m10-4 firmware
- canonical/fujitsu m10-4
- canonical/fujitsu m10-4s firmware
- canonical/fujitsu m10-4s
- canonical/fujitsu m12-1 firmware
- canonical/fujitsu m12-1
- canonical/fujitsu m12-2 firmware
- canonical/fujitsu m12-2
- canonical/fujitsu m12-2s firmware
- canonical/fujitsu m12-2s
- package-manager/redhat
- package-manager/debian