libcurl does not strip off user credentials from the URL when automatically populating the `Referer:` HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. Upstream Advisory: https://curl.se/docs/CVE-2021-22876.html
Acknowledgments: Name: the Curl project Upstream: Viktor Szakats
This issue may cause a leak of HTTP authentication credentials when all the following conditions are met: - When connecting to some remote server, HTTP authentication credentials are included directly in the URL passed to libcurl. I.e. the URL has the following form: http://username:password@example.com/ . - Following of redirects is enabled - in case of the curl command line tool, that's done using the -L / --location command line option; for the libcurl library, it's enabled using the CURLOPT_FOLLOWLOCATION option. - Automatic generation of Referer headers while following redirects is enabled - using the -e ';auto' / --referer ';auto' option for the curl tool; or using the CURLOPT_AUTOREFERER library option. When these conditions are met, and when the server responds with a redirect to some other host, the host that the request is redirected to will get the full original URL including authentication credentials via the Referer header automatically generated by libcurl. This issue can be avoided by ensuring at least one of the above conditions are not met. The most practical mitigation are: - Disable automatic generation of Referer headers while processing redirects. - Avoid including authentication credentials directly in the URL and use other methods to provide those credentials - using the -u / --user option for the curl tool; use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options for libcurl.
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1945058]
Upstream commit: https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c
Mitigation: This issue can be avoided by using at least one of the following recommendations: * Do not enable automatic generation of Referer headers when redirects are followed. This functionality is not enabled by default. In the curl command line tool, it is enabled using the -e ';auto' or --referer ';auto' command line options. In the libcurl library, it is enabled using the CURLOPT_AUTOREFERER option. * Do not include authentication credentials in URLs (in the form of https://username:password@example.com), use other methods to provide authentication credentials to curl / libcurl. For the curl command line tool, use -u or --user command line option. For the libcurl library, use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options.
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22876
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4511 https://access.redhat.com/errata/RHSA-2021:4511
This issue has been addressed in the following products: .NET Core on Red Hat Enterprise Linux Via RHSA-2022:1354 https://access.redhat.com/errata/RHSA-2022:1354