Project curl Security Advisory, April 27 2022 -Permalink
curl might leak authentication or cookie header data on HTTPredirects to the same host but another port number.
When asked to send custom headers or cookies in its HTTP requests,curl sends that set of headers only to the host which name is used inthe initial URL, so that redirects to other hosts make curl send thedata to those. However, due to a flawed check, curl wrongly also sendsthat same set of headers to the hosts that are identical to the firstone but use a different port number or URL scheme. Contrary toexpectation and intention.
Sending the same set of headers to a server on a different portnumber is a problem for applications that pass on customAuthorization: orCookie: headers, as thoseheaders often contain privacy sensitive information or data.
curl and libcurl have options that allow users to opt out from thischeck, but that is not set by default.
This flaw was added in curl 4.9 with the introduction of--location and has been present in all libcurl versionsever released. In July 2000 in the curl7.1.1 release,this commitwas the first version that attempted to avoid this, but the check hasbeen bad since then.
In 2018,CVE-2018-1000007was reported that partly addressed this area - but in an incompleteway.
The Common Vulnerabilities and Exposures (CVE) project has assignedthe name CVE-2022-27776 to this issue.
CWE-522: Insufficiently Protected Credentials
Severity: Low
Also note that libcurl is used by many applications, and not alwaysadvertised as such.
In curl version7.83.0, the same-host check is extended to check theport number and protocol as well.
A - Upgrade curl to version7.83.0
B - Apply the patch to your local version
C - Do not enableCURLOPT_FOLLOWLOCATION if you pass oncustomAuthorization: headers or cookies.
This issue was reported to the curl project on April 21, 2022. Wecontacted distros@openwall on April 22.
libcurl7.83.0 was released on April 27 2022, coordinated with thepublication of this advisory.
Thanks a lot!