Bug 1941964 (CVE-2021-22876) - CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer
Summary: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22876
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1942460 1942461 1942463 1942473 1942462 1942464 1942465 1942466 1942467 1942468 1942469 1942471 1942472 1942474 1942475 1942476 1942477 1945058 1945065 1945066 1945067 1956594 1956595
Blocks: 1941974
TreeView+ depends on / blocked
 
Reported: 2021-03-23 10:06 UTC by Marian Rehak
Modified: 2022-08-10 22:05 UTC (History)
39 users (show)

Fixed In Version: curl 7.76.0
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.
Clone Of:
Environment:
Last Closed: 2021-06-17 15:04:29 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2471 0 None None None 2021-06-17 11:36:00 UTC
Red Hat Product Errata RHSA-2021:2472 0 None None None 2021-06-17 11:45:59 UTC
Red Hat Product Errata RHSA-2021:4511 0 None None None 2021-11-09 19:02:40 UTC
Red Hat Product Errata RHSA-2022:1354 0 None None None 2022-04-13 14:28:52 UTC

Description Marian Rehak 2021-03-23 10:06:43 UTC
libcurl does not strip off user credentials from the URL when automatically populating the `Referer:` HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Upstream Advisory:

https://curl.se/docs/CVE-2021-22876.html

Comment 4 Tomas Hoger 2021-03-30 20:47:38 UTC
Acknowledgments:

Name: the Curl project
Upstream: Viktor Szakats

Comment 6 Tomas Hoger 2021-03-30 21:18:36 UTC
This issue may cause a leak of HTTP authentication credentials when all the following conditions are met:

- When connecting to some remote server, HTTP authentication credentials are included directly in the URL passed to libcurl.  I.e. the URL has the following form:  http://username:password@example.com/ .
- Following of redirects is enabled - in case of the curl command line tool, that's done using the -L / --location command line option; for the libcurl library, it's enabled using the CURLOPT_FOLLOWLOCATION option.
- Automatic generation of Referer headers while following redirects is enabled - using the -e ';auto' / --referer ';auto' option for the curl tool; or using the CURLOPT_AUTOREFERER library option.

When these conditions are met, and when the server responds with a redirect to some other host, the host that the request is redirected to will get the full original URL including authentication credentials via the Referer header automatically generated by libcurl.

This issue can be avoided by ensuring at least one of the above conditions are not met.  The most practical mitigation are:

- Disable automatic generation of Referer headers while processing redirects.
- Avoid including authentication credentials directly in the URL and use other methods to provide those credentials - using the -u / --user option for the curl tool; use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options for libcurl.

Comment 8 Tomas Hoger 2021-03-31 10:04:48 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1945058]

Comment 11 Tomas Hoger 2021-03-31 15:11:27 UTC
Mitigation:

This issue can be avoided by using at least one of the following recommendations:

* Do not enable automatic generation of Referer headers when redirects are followed. This functionality is not enabled by default.  In the curl command line tool, it is enabled using the -e ';auto' or --referer ';auto' command line options. In the libcurl library, it is enabled using the CURLOPT_AUTOREFERER option.

* Do not include authentication credentials in URLs (in the form of https://username:password@example.com), use other methods to provide authentication credentials to curl / libcurl. For the curl command line tool, use -u or --user command line option. For the libcurl library, use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options.

Comment 15 errata-xmlrpc 2021-06-17 11:35:53 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471

Comment 16 errata-xmlrpc 2021-06-17 11:45:53 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472

Comment 17 Product Security DevOps Team 2021-06-17 15:04:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22876

Comment 18 errata-xmlrpc 2021-11-09 19:02:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4511 https://access.redhat.com/errata/RHSA-2021:4511

Comment 19 errata-xmlrpc 2022-04-13 14:28:49 UTC
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:1354 https://access.redhat.com/errata/RHSA-2022:1354


Note You need to log in before you can comment on or make changes to this bug.