Bug 2078408 (CVE-2022-27776) - CVE-2022-27776 curl: auth/cookie leak on redirect
Summary: CVE-2022-27776 curl: auth/cookie leak on redirect
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-27776
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2078749 2078750 2078751 2078752 2078753 2079173 2079174 2113053
Blocks: 2077543
TreeView+ depends on / blocked
 
Reported: 2022-04-25 08:58 UTC by Marian Rehak
Modified: 2022-12-06 17:03 UTC (History)
24 users (show)

Fixed In Version: curl 7.83.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:`headers. Those headers often contain privacy-sensitive information or data.
Clone Of:
Environment:
Last Closed: 2022-12-06 17:03:13 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5245 0 None None None 2022-06-28 14:58:56 UTC
Red Hat Product Errata RHSA-2022:5313 0 None None None 2022-06-28 18:31:30 UTC

Description Marian Rehak 2022-04-25 08:58:34 UTC 
When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme. Contrary to expectation and intention. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:` headers, as those headers often contain privacy sensitive information or data.

curl and libcurl have options that allow users to opt out from this check, but
that is not set by default.
Comment 4 Sandipan Roy 2022-04-27 06:37:50 UTC 
https://curl.se/docs/CVE-2022-27776.html
Comment 5 Sandipan Roy 2022-04-27 06:38:26 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2079174]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2079173]
Comment 6 errata-xmlrpc 2022-06-28 14:58:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5245 https://access.redhat.com/errata/RHSA-2022:5245
Comment 7 errata-xmlrpc 2022-06-28 18:31:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5313 https://access.redhat.com/errata/RHSA-2022:5313
Comment 11 Product Security DevOps Team 2022-12-06 17:03:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-27776
Note You need to log in before you can comment on or make changes to this bug.