libcurl does not strip off user credentials from the URL when automatically
populating the Referer:
HTTP request header field in outgoing HTTP requests,
and therefore risks leaking sensitive data to the server that is the target of
the second HTTP request.
libcurl automatically sets the Referer:
HTTP request header field in
outgoing HTTP requests if the CURLOPT_AUTOREFERER
option is set. With the
curl tool, it is enabled with --referer ";auto"
.
{ "CWE": { "id": "CWE-359", "desc": "Exposure of Private Personal Information to an Unauthorized Actor" }, "award": { "amount": "800", "currency": "USD" }, "URL": "https://curl.se/docs/CVE-2021-22876.json", "package": "curl", "severity": "Low", "issue": "https://hackerone.com/reports/1101882", "www": "https://curl.se/docs/CVE-2021-22876.html", "last_affected": "7.75.0" }