Bug 2078408 (CVE-2022-27776)

Summary: CVE-2022-27776 curl: auth/cookie leak on redirect
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew.slice, bodavis, csutherl, dbhole, erik-fedora, gzaronik, hhorak, jclere, jorton, jwon, kanderso, kdudka, luhliari, lvaleeva, mike, msekleta, mturk, omajid, paul, pjindal, rwagner, security-response-team, svashisht, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.83.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:`headers. Those headers often contain privacy-sensitive information or data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-06 17:03:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2078749, 2078750, 2078751, 2078752, 2078753, 2079173, 2079174, 2113053    
Bug Blocks: 2077543    

Description Marian Rehak 2022-04-25 08:58:34 UTC 
When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme. Contrary to expectation and intention. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:` headers, as those headers often contain privacy sensitive information or data.

curl and libcurl have options that allow users to opt out from this check, but
that is not set by default.
Comment 4 Sandipan Roy 2022-04-27 06:37:50 UTC 
https://curl.se/docs/CVE-2022-27776.html
Comment 5 Sandipan Roy 2022-04-27 06:38:26 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2079174]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2079173]
Comment 6 errata-xmlrpc 2022-06-28 14:58:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5245 https://access.redhat.com/errata/RHSA-2022:5245
Comment 7 errata-xmlrpc 2022-06-28 18:31:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5313 https://access.redhat.com/errata/RHSA-2022:5313
Comment 11 Product Security DevOps Team 2022-12-06 17:03:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-27776