libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).
External References: https://curl.haxx.se/docs/CVE-2020-8169.html
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1851435] Created flickcurl tracking bugs for this issue: Affects: fedora-all [bug 1851437] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1851436]
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8169