CVE-2021-22876

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Configuration 7 (hide)

OR cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*

Configuration 8 (hide)

OR cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*

History

27 Mar 2024, 15:47

Type Values Removed Values Added
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/ - Mailing List, Third Party Advisory
CPE cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
First Time Splunk
Splunk universal Forwarder

07 Nov 2023, 03:30

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/', 'name': 'FEDORA-2021-26a293c72b', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/', 'name': 'FEDORA-2021-065371f385', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/', 'name': 'FEDORA-2021-cab5c9befb', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/ -

06 Apr 2022, 16:19

Type Values Removed Values Added
First Time Siemens sinec Infrastructure Network Services
Oracle communications Billing And Revenue Management
Siemens
Oracle
Oracle essbase
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory
References (MISC) https://hackerone.com/reports/1101882 - Exploit, Patch, Third Party Advisory (MISC) https://hackerone.com/reports/1101882 - Exploit, Issue Tracking, Patch, Third Party Advisory
References (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Third Party Advisory
CPE cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*

10 Mar 2022, 17:41

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

15 Jun 2021, 18:58

Type Values Removed Values Added
CPE cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
References (MISC) https://hackerone.com/reports/1101882 - Permissions Required, Third Party Advisory (MISC) https://hackerone.com/reports/1101882 - Exploit, Patch, Third Party Advisory

27 May 2021, 16:21

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*
cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/ - Mailing List, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20210521-0007/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20210521-0007/ - Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/202105-36 - (GENTOO) https://security.gentoo.org/glsa/202105-36 - Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html - (MLIST) https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html - Mailing List, Third Party Advisory

26 May 2021, 15:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202105-36 -

21 May 2021, 09:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210521-0007/ -

17 May 2021, 20:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html -

22 Apr 2021, 01:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/ -

06 Apr 2021, 18:02

Type Values Removed Values Added
CPE cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 5.3
CWE CWE-200
References (MISC) https://curl.se/docs/CVE-2021-22876.html - (MISC) https://curl.se/docs/CVE-2021-22876.html - Patch, Vendor Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/ - Mailing List, Third Party Advisory
References (MISC) https://hackerone.com/reports/1101882 - (MISC) https://hackerone.com/reports/1101882 - Permissions Required, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/ - Mailing List, Third Party Advisory

06 Apr 2021, 02:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/ -

04 Apr 2021, 03:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/ -

01 Apr 2021, 18:21

Type Values Removed Values Added
New CVE

Information

Published : 2021-04-01 18:15

Updated : 2024-03-27 15:47


NVD link : CVE-2021-22876

Mitre link : CVE-2021-22876

CVE.ORG link : CVE-2021-22876


JSON object : View

Products Affected

netapp

  • hci_storage_node
  • hci_management_node
  • solidfire
  • hci_compute_node

siemens

  • sinec_infrastructure_network_services

debian

  • debian_linux

splunk

  • universal_forwarder

haxx

  • libcurl

broadcom

  • fabric_operating_system

oracle

  • communications_billing_and_revenue_management
  • essbase

fedoraproject

  • fedora
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor