When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme. Contrary to expectation and intention. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:` headers, as those headers often contain privacy sensitive information or data. curl and libcurl have options that allow users to opt out from this check, but that is not set by default.
https://curl.se/docs/CVE-2022-27776.html
Created curl tracking bugs for this issue: Affects: fedora-all [bug 2079174] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 2079173]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5245 https://access.redhat.com/errata/RHSA-2022:5245
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5313 https://access.redhat.com/errata/RHSA-2022:5313
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-27776