Your submission was sent successfully! Close

CVE-2021-22876

Published: 31 March 2021

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
bionic
Released (7.58.0-2ubuntu3.13)
focal
Released (7.68.0-1ubuntu2.5)
groovy
Released (7.68.0-1ubuntu4.3)
hirsute
Released (7.74.0-1ubuntu2)
precise Ignored
(end of ESM support, was needed)
trusty
Released (7.35.0-1ubuntu2.20+esm7)
upstream Needs triage

xenial
Released (7.47.0-1ubuntu2.19)