CVE-2021-22876: Infoleak

Published Mar 23, 2021
·
Updated

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Other sources

cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain user credentials, and use this information to launch further attacks against the affected system.

IBM

It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Upstream Advisory:

https://curl.se/docs/CVE-2021-22876.html

Red Hat

Affected Software

40 affected componentsFixes available
redhat/jbcs-httpd24<0:1-18.el8
0:1-18.el8
redhat/jbcs-httpd24-apr<0:1.6.3-105.el8
0:1.6.3-105.el8
redhat/jbcs-httpd24-apr-util<0:1.6.1-82.el8
0:1.6.1-82.el8
redhat/jbcs-httpd24-brotli<0:1.0.6-40.el8
0:1.0.6-40.el8
redhat/jbcs-httpd24-curl<0:7.77.0-2.el8
0:7.77.0-2.el8
redhat/jbcs-httpd24-httpd<0:2.4.37-74.el8
0:2.4.37-74.el8
redhat/jbcs-httpd24-jansson<0:2.11-55.el8
0:2.11-55.el8
redhat/jbcs-httpd24-nghttp2<0:1.39.2-37.el8
0:1.39.2-37.el8
redhat/jbcs-httpd24-openssl<1:1.1.1g-6.el8
1:1.1.1g-6.el8
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-5.el8
0:1.0.0-5.el8
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-20.el8
0:0.4.10-20.el8
redhat/jbcs-httpd24<0:1-18.jbcs.el7
0:1-18.jbcs.el7
redhat/jbcs-httpd24-apr<0:1.6.3-105.jbcs.el7
0:1.6.3-105.jbcs.el7
redhat/jbcs-httpd24-apr-util<0:1.6.1-82.jbcs.el7
0:1.6.1-82.jbcs.el7
redhat/jbcs-httpd24-curl<0:7.77.0-2.jbcs.el7
0:7.77.0-2.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.37-74.jbcs.el7
0:2.4.37-74.jbcs.el7
redhat/jbcs-httpd24-jansson<0:2.11-55.jbcs.el7
0:2.11-55.jbcs.el7
redhat/rh-dotnet31-curl<0:7.61.1-22.el7_9
0:7.61.1-22.el7_9
redhat/curl<0:7.61.1-22.el8
0:7.61.1-22.el8
debian/curl
7.64.0-4+deb10u27.64.0-4+deb10u77.74.0-1.3+deb11u97.74.0-1.3+deb11u107.88.1-10+deb12u37.88.1-10+deb12u48.4.0-2
redhat/curl<7.76.0
7.76.0
IBM QRadar SIEM<=7.5.0 GA
IBM QRadar SIEM<=7.4.3 GA - 7.4.3 FP4
IBM QRadar SIEM<=7.3.3 GA - 7.3.3 FP10
haxx libcurl>=7.1.1<=7.75.0
Fedoraproject Fedora=32
Fedoraproject Fedora=33
Fedoraproject Fedora=34
NetApp Hci Management Node
NetApp Solidfire
NetApp Hci Compute Node
NetApp Hci Storage Node
Broadcom Fabric Operating System
Debian Debian Linux=9.0
Siemens Sinec Infrastructure Network Services<1.0.1.1
Oracle Communications Billing and Revenue Management=12.0.0.3.0
Oracle Essbase=21.2
Splunk Universal Forwarder>=8.2.0<8.2.12
Splunk Universal Forwarder>=9.0.0<9.0.6
Splunk Universal Forwarder=9.1.0

Remediation

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch Available

https://curl.se/docs/CVE-2021-22876.html

Patch Available

https://hackerone.com/reports/1101882

Information

This issue can be avoided by using at least one of the following recommendations: * Do not enable automatic generation of Referer headers when redirects are followed. This functionality is not enabled by default. In the curl command line tool, it is enabled using the -e ';auto' or --referer ';auto' command line options. In the libcurl library, it is enabled using the CURLOPT_AUTOREFERER option. * Do not include authentication credentials in URLs (in the form of https://username:password@example.com), use other methods to provide authentication credentials to curl / libcurl. For the curl command line tool, use -u or --user command line option. For the libcurl library, use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options.

Event History

Mar 23, 2021
Data Sourced
via Red Hat·10:06 AM
DescriptionSeverityAffected Software
Mar 31, 2021
CVE Published
12:00 AM
Apr 1, 2021
CVE Published
via MITRE·05:45 PM
Data Sourced
via MITRE·05:45 PM
DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID of this vulnerability?

The vulnerability ID is CVE-2021-22876.

2

What is the severity of CVE-2021-22876?

The severity of CVE-2021-22876 is high with a severity value of 7.5.

3

How does CVE-2021-22876 affect libcurl?

CVE-2021-22876 affects libcurl by allowing a remote attacker to obtain sensitive information.

4

How can an attacker exploit CVE-2021-22876?

An attacker can exploit CVE-2021-22876 by sending a specially-crafted HTTP request.

5

Is there a fix available for CVE-2021-22876?

Yes, a fix is available for CVE-2021-22876. Please refer to the provided references for more information on how to obtain the fix.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203