CURL-CVE-2022-27774
- Source
- https://curl.se/docs/CVE-2022-27774.html
- Import Source
- https://curl.se/docs/CURL-CVE-2022-27774.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2022-27774
- Aliases
- Published
- 2022-04-27T08:00:00Z
- Modified
- 2024-01-25T02:42:50.285610Z
- Summary
- Credential leak on redirect
- Details
-
curl follows HTTP(S) redirects when asked to. curl also supports authentication. When a user and password are provided for a URL with a given hostname, curl makes an effort to not pass on those credentials to other hosts in redirects unless given permission with a special option.
This "same host check" has been flawed all since it was introduced. It does not work on cross protocol redirects and it does not consider different port numbers to be separate hosts. This leads to curl leaking credentials to other servers when it follows redirects from auth protected HTTP(S) URLs to other protocols and port numbers. It could also leak the TLS SRP credentials this way.
By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports.
- References
-
- Credits
-
-
- Harry Sintonen - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced4.9Fixed7.83.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events