First published: Tue Mar 23 2021(Updated: )
cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain user credentials, and use this information to launch further attacks against the affected system.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24 | <0:1-18.el8 | 0:1-18.el8 |
redhat/jbcs-httpd24-apr | <0:1.6.3-105.el8 | 0:1.6.3-105.el8 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.el8 | 0:1.6.1-82.el8 |
redhat/jbcs-httpd24-brotli | <0:1.0.6-40.el8 | 0:1.0.6-40.el8 |
redhat/jbcs-httpd24-curl | <0:7.77.0-2.el8 | 0:7.77.0-2.el8 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-74.el8 | 0:2.4.37-74.el8 |
redhat/jbcs-httpd24-jansson | <0:2.11-55.el8 | 0:2.11-55.el8 |
redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-37.el8 | 0:1.39.2-37.el8 |
redhat/jbcs-httpd24-openssl | <1:1.1.1g-6.el8 | 1:1.1.1g-6.el8 |
redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-5.el8 | 0:1.0.0-5.el8 |
redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-20.el8 | 0:0.4.10-20.el8 |
redhat/jbcs-httpd24 | <0:1-18.jbcs.el7 | 0:1-18.jbcs.el7 |
redhat/jbcs-httpd24-apr | <0:1.6.3-105.jbcs.el7 | 0:1.6.3-105.jbcs.el7 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.jbcs.el7 | 0:1.6.1-82.jbcs.el7 |
redhat/jbcs-httpd24-curl | <0:7.77.0-2.jbcs.el7 | 0:7.77.0-2.jbcs.el7 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-74.jbcs.el7 | 0:2.4.37-74.jbcs.el7 |
redhat/jbcs-httpd24-jansson | <0:2.11-55.jbcs.el7 | 0:2.11-55.jbcs.el7 |
redhat/rh-dotnet31-curl | <0:7.61.1-22.el7_9 | 0:7.61.1-22.el7_9 |
redhat/curl | <0:7.61.1-22.el8 | 0:7.61.1-22.el8 |
debian/curl | 7.64.0-4+deb10u2 7.64.0-4+deb10u7 7.74.0-1.3+deb11u9 7.74.0-1.3+deb11u10 7.88.1-10+deb12u3 7.88.1-10+deb12u4 8.4.0-2 | |
Haxx Libcurl | >=7.1.1<=7.75.0 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
Netapp Hci Management Node | ||
Netapp Solidfire | ||
Netapp Hci Compute Node | ||
Netapp Hci Storage Node | ||
Broadcom Fabric Operating System | ||
Debian Debian Linux | =9.0 | |
Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
Oracle Communications Billing and Revenue Management | =12.0.0.3.0 | |
Oracle Essbase | =21.2 | |
IBM QRadar SIEM | <=7.5.0 GA | |
IBM QRadar SIEM | <=7.4.3 GA - 7.4.3 FP4 | |
IBM QRadar SIEM | <=7.3.3 GA - 7.3.3 FP10 | |
redhat/curl | <7.76.0 | 7.76.0 |
Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
Splunk Universal Forwarder | =9.1.0 |
This issue can be avoided by using at least one of the following recommendations: * Do not enable automatic generation of Referer headers when redirects are followed. This functionality is not enabled by default. In the curl command line tool, it is enabled using the -e ';auto' or --referer ';auto' command line options. In the libcurl library, it is enabled using the CURLOPT_AUTOREFERER option. * Do not include authentication credentials in URLs (in the form of https://username:password@example.com), use other methods to provide authentication credentials to curl / libcurl. For the curl command line tool, use -u or --user command line option. For the libcurl library, use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID is CVE-2021-22876.
The severity of CVE-2021-22876 is high with a severity value of 7.5.
CVE-2021-22876 affects libcurl by allowing a remote attacker to obtain sensitive information.
An attacker can exploit CVE-2021-22876 by sending a specially-crafted HTTP request.
Yes, a fix is available for CVE-2021-22876. Please refer to the provided references for more information on how to obtain the fix.