Bug 1941964 (CVE-2021-22876)

Summary: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, andrew.slice, anharris, askrabec, bniver, bodavis, csutherl, dbhole, dkuc, flucifre, gmeno, gzaronik, hhorak, hvyas, jclere, jorton, jwon, kanderso, kaycoth, kdudka, krathod, luhliari, mbenjamin, mhackett, msekleta, mseri, mturk, ntait, omajid, paul, pjindal, rdey, rwagner, security-response-team, sostapov, svashisht, szappis, vereddy, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.76.0 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-17 15:04:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1942460, 1942461, 1942462, 1942463, 1942464, 1942465, 1942466, 1942467, 1942468, 1942469, 1942471, 1942472, 1942473, 1942474, 1942475, 1942476, 1942477, 1945058, 1945065, 1945066, 1945067, 1956594, 1956595    
Bug Blocks: 1941974    

Description Marian Rehak 2021-03-23 10:06:43 UTC 
libcurl does not strip off user credentials from the URL when automatically populating the `Referer:` HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Upstream Advisory:

https://curl.se/docs/CVE-2021-22876.html
Comment 4 Tomas Hoger 2021-03-30 20:47:38 UTC 
Acknowledgments:

Name: the Curl project
Upstream: Viktor Szakats
Comment 6 Tomas Hoger 2021-03-30 21:18:36 UTC 
This issue may cause a leak of HTTP authentication credentials when all the following conditions are met:

- When connecting to some remote server, HTTP authentication credentials are included directly in the URL passed to libcurl.  I.e. the URL has the following form:  http://username:password@example.com/ .
- Following of redirects is enabled - in case of the curl command line tool, that's done using the -L / --location command line option; for the libcurl library, it's enabled using the CURLOPT_FOLLOWLOCATION option.
- Automatic generation of Referer headers while following redirects is enabled - using the -e ';auto' / --referer ';auto' option for the curl tool; or using the CURLOPT_AUTOREFERER library option.

When these conditions are met, and when the server responds with a redirect to some other host, the host that the request is redirected to will get the full original URL including authentication credentials via the Referer header automatically generated by libcurl.

This issue can be avoided by ensuring at least one of the above conditions are not met.  The most practical mitigation are:

- Disable automatic generation of Referer headers while processing redirects.
- Avoid including authentication credentials directly in the URL and use other methods to provide those credentials - using the -u / --user option for the curl tool; use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options for libcurl.
Comment 8 Tomas Hoger 2021-03-31 10:04:48 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1945058]
Comment 9 Tomas Hoger 2021-03-31 10:11:55 UTC 
Upstream commit:

https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c
Comment 11 Tomas Hoger 2021-03-31 15:11:27 UTC 
Mitigation:

This issue can be avoided by using at least one of the following recommendations:

* Do not enable automatic generation of Referer headers when redirects are followed. This functionality is not enabled by default.  In the curl command line tool, it is enabled using the -e ';auto' or --referer ';auto' command line options. In the libcurl library, it is enabled using the CURLOPT_AUTOREFERER option.

* Do not include authentication credentials in URLs (in the form of https://username:password@example.com), use other methods to provide authentication credentials to curl / libcurl. For the curl command line tool, use -u or --user command line option. For the libcurl library, use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options.
Comment 15 errata-xmlrpc 2021-06-17 11:35:53 UTC 
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
Comment 16 errata-xmlrpc 2021-06-17 11:45:53 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
Comment 17 Product Security DevOps Team 2021-06-17 15:04:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22876
Comment 18 errata-xmlrpc 2021-11-09 19:02:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4511 https://access.redhat.com/errata/RHSA-2021:4511
Comment 19 errata-xmlrpc 2022-04-13 14:28:49 UTC 
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:1354 https://access.redhat.com/errata/RHSA-2022:1354