Bug 2078408 (CVE-2022-27776) - CVE-2022-27776 curl: auth/cookie leak on redirect
Summary: CVE-2022-27776 curl: auth/cookie leak on redirect
Keywords:
Status: NEW
Alias: CVE-2022-27776
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2078749 2078750 2078751 2078753 2079173 2078752 2079174
Blocks: 2077543
TreeView+ depends on / blocked
 
Reported: 2022-04-25 08:58 UTC by Marian Rehak
Modified: 2022-04-27 13:01 UTC (History)
25 users (show)

Fixed In Version: curl 7.83.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:`headers. Those headers often contain privacy-sensitive information or data.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2022-04-25 08:58:34 UTC
When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme. Contrary to expectation and intention. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:` headers, as those headers often contain privacy sensitive information or data.

curl and libcurl have options that allow users to opt out from this check, but
that is not set by default.

Comment 4 Sandipan Roy 2022-04-27 06:37:50 UTC
https://curl.se/docs/CVE-2022-27776.html

Comment 5 Sandipan Roy 2022-04-27 06:38:26 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2079174]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2079173]


Note You need to log in before you can comment on or make changes to this bug.