CVE-2015-3236

Name of the Vulnerable Software and Affected Versions cURL and libcurl versions 7.40.0 through 7.42.1

Description The issue allows remote attackers to obtain sensitive information via unspecified vectors. This occurs when cURL and libcurl send the HTTP Basic authentication credentials for a previous connection when reusing a reset connection handle to send a request to the same host name. libcurl can wrongly send HTTP credentials when re-using connections, specifically when using the curl easy reset() function, which is supposed to clear the credentials but does not. This can lead to credentials being leaked in subsequent requests to the same hostname.

Recommendations For versions 7.40.0 through 7.42.1, consider disabling the use of curl easy reset() until a patch is available, and avoid reusing connection handles for requests to the same hostname after authentication has been used. Restrict access to sensitive resources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.