libcurl 7.1 up to and including 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
haxx curl |
||
debian debian linux 8.0 |
||
debian debian linux 7.0 |
||
debian debian linux 9.0 |
||
canonical ubuntu linux 16.04 |
||
canonical ubuntu linux 14.04 |
||
canonical ubuntu linux 12.04 |
||
canonical ubuntu linux 17.10 |
||
redhat enterprise linux desktop 7.0 |
||
redhat enterprise linux workstation 7.0 |
||
redhat enterprise linux server 7.0 |
||
redhat enterprise linux server aus 7.4 |
||
redhat enterprise linux server eus 7.4 |
||
redhat enterprise linux server eus 7.5 |
||
fujitsu m10-1_firmware |
||
fujitsu m10-4_firmware |
||
fujitsu m10-4s_firmware |
||
fujitsu m12-1_firmware |
||
fujitsu m12-2_firmware |
||
fujitsu m12-2s_firmware |
Fixed in 7.58.0
If you use libcurl, the command line tool and library for transferring data with URLs, get ready to patch. The tool has a pair of problems, one of which is an authentication leak. This advisory says the library can leak authentication data to third parties because of how it handles custom headers in HTTP requests. “When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X H...