PT-2026-56232 · Haarg · Tiny-Http

Olaf Alders

·

Publicado

2026-07-07

·

Atualizado

2026-07-07

·

CVE-2026-7017

CVSS v3.1

7.1

Alta

VetorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.
When the server returns a 3xx redirect, maybe redirect follows the Location: header and prepare headers and cb re-merges the caller's headers argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied Authorization, Cookie and Proxy-Authorization headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including https to http downgrades that expose them in plaintext on the wire.
The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

Correção

Insufficiently Protected Credentials

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-7017

Produtos afetados

Tiny-Http