CURL-CVE-2015-3236

Source
https://curl.se/docs/CVE-2015-3236.html
Import Source
https://curl.se/docs/CURL-CVE-2015-3236.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2015-3236
Aliases
Published
2015-06-17T08:00:00Z
Modified
2024-07-02T09:22:24Z
Summary
lingering HTTP credentials in connection re-use
Details

libcurl can wrongly send HTTP credentials when re-using connections.

libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPT_USERPWD for example. Name and password. Just like all other libcurl options the credentials are sticky and are kept associated with the "handle" until something is made to change the situation.

Further, libcurl offers a curl_easy_reset() function that resets a handle back to its pristine state in terms of all settable options. A reset is of course also supposed to clear the credentials. A reset is typically used to clear up the handle and prepare it for a new, possibly unrelated, transfer.

Within such a handle, libcurl can also store a set of previous connections in case a second transfer is requested to a hostname for which an existing connection is already kept alive.

With this flaw present, using the handle even after a reset would make libcurl accidentally use those credentials in a subsequent request if done to the same hostname and connection as was previously accessed.

An example case would be first requesting a password protected resource from one section of a website, and then do a second request of a public resource from a completely different part of the site without authentication. This flaw would then inadvertently leak the credentials in the second request.

Database specific
{
    "CWE": {
        "id": "CWE-305",
        "desc": "Authentication Bypass by Primary Weakness"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2015-3236.json",
    "severity": "High",
    "www": "https://curl.se/docs/CVE-2015-3236.html",
    "last_affected": "7.42.1"
}
References
Credits
    • Tomas Tomecek - FINDER
    • Kamil Dudka - FINDER
    • Kamil Dudka - REMEDIATION_DEVELOPER

Affected packages

Git /

Affected ranges

Type
SEMVER
Events
Introduced
7.40.0
Fixed
7.43.0

Affected versions

7.*

7.40.0
7.41.0
7.42.0
7.42.1