CURL-CVE-2015-3153

Source
https://curl.se/docs/CVE-2015-3153.html
Import Source
https://curl.se/docs/CURL-CVE-2015-3153.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2015-3153
Aliases
Published
2015-04-29T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
sensitive HTTP server headers also sent to proxies
Details

libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option.

When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers.

Such tunneling over a proxy is done for example when using the HTTPS protocol - or when explicitly asked for. In this case, the initial connection to the proxy is made in clear including any custom headers using the HTTP CONNECT method.

While libcurl provides the CURLOPT_HEADEROPT option to allow applications to tell libcurl if the headers should be sent to host and the proxy or use separate lists to the different destinations, it has still defaulted to sending the same headers to both parties for the sake of compatibility.

If the application sets a custom HTTP header with sensitive content (e.g., authentication cookies) without changing the default, the proxy, and anyone who listens to the traffic between the application and the proxy, might get access to those values.

Note: this problem does not exist when using the CURLOPT_COOKIE option (or the --cookie option) or the HTTP auth options, which are always sent only to the destination server.

Database specific
{
    "CWE": {
        "id": "CWE-201",
        "desc": "Information Exposure Through Sent Data"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2015-3153.json",
    "severity": "High",
    "www": "https://curl.se/docs/CVE-2015-3153.html",
    "last_affected": "7.42.0"
}
References
Credits
    • Yehezkel Horowitz - FINDER
    • Oren Souroujon - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
4.0
Fixed
7.42.1
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

4.*

4.0
4.1
4.10
4.2
4.3
4.4
4.5
4.5.1
4.6
4.7
4.8
4.8.1
4.8.2
4.8.3
4.8.4
4.9

5.*

5.0
5.10
5.11
5.2
5.2.1
5.3
5.4
5.5
5.5.1
5.7
5.7.1
5.8
5.9
5.9.1

6.*

6.0
6.1
6.2
6.3
6.3.1
6.4
6.5
6.5.1
6.5.2

7.*

7.1
7.1.1
7.10
7.10.1
7.10.2
7.10.3
7.10.4
7.10.5
7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.2
7.2.1
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.3
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.4
7.4.1
7.4.2
7.40.0
7.41.0
7.42.0
7.5
7.5.1
7.5.2
7.6
7.6.1
7.7
7.7.1
7.7.2
7.7.3
7.8
7.8.1
7.9
7.9.1
7.9.2
7.9.3
7.9.4
7.9.5
7.9.6
7.9.7
7.9.8