curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
History
27 Mar 2024, 15:47
Type | Values Removed | Values Added |
---|---|---|
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/ - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/ - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* |
|
First Time |
Splunk
Splunk universal Forwarder |
07 Nov 2023, 03:30
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
06 Apr 2022, 16:19
Type | Values Removed | Values Added |
---|---|---|
First Time |
Siemens sinec Infrastructure Network Services
Oracle communications Billing And Revenue Management Siemens Oracle Oracle essbase |
|
References | (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory | |
References | (MISC) https://hackerone.com/reports/1101882 - Exploit, Issue Tracking, Patch, Third Party Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Third Party Advisory | |
CPE | cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* |
10 Mar 2022, 17:41
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Jun 2021, 18:58
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:* | |
References | (MISC) https://hackerone.com/reports/1101882 - Exploit, Patch, Third Party Advisory |
27 May 2021, 16:21
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:* cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:* |
|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/ - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20210521-0007/ - Third Party Advisory | |
References | (GENTOO) https://security.gentoo.org/glsa/202105-36 - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html - Mailing List, Third Party Advisory |
26 May 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 May 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 May 2021, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Apr 2021, 01:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Apr 2021, 18:02
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 5.3 |
CWE | CWE-200 | |
References | (MISC) https://curl.se/docs/CVE-2021-22876.html - Patch, Vendor Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/ - Mailing List, Third Party Advisory | |
References | (MISC) https://hackerone.com/reports/1101882 - Permissions Required, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/ - Mailing List, Third Party Advisory |
06 Apr 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
04 Apr 2021, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Apr 2021, 18:21
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-04-01 18:15
Updated : 2024-03-27 15:47
NVD link : CVE-2021-22876
Mitre link : CVE-2021-22876
CVE.ORG link : CVE-2021-22876
JSON object : View
Products Affected
netapp
- hci_storage_node
- hci_management_node
- solidfire
- hci_compute_node
siemens
- sinec_infrastructure_network_services
debian
- debian_linux
splunk
- universal_forwarder
haxx
- libcurl
broadcom
- fabric_operating_system
oracle
- communications_billing_and_revenue_management
- essbase
fedoraproject
- fedora