CVE-2020-8169

Name of the Vulnerable Software and Affected Versions curl versions 7.62.0 through 7.70.0

Description The issue is related to errors in handling credentials, which can lead to a partial password being leaked over the network and to the DNS server(s). This occurs when libcurl is tricked into prepending a part of the password to the hostname before it resolves it. The credentials are set using CURLOPT USERPWD, CURLOPT USERNAME, and CURLOPT PASSWORD, and can also be set in the URL using the standard RFC 3986 format. The vulnerability originates from curl not correctly URL encoding the credential data when set using one of the curl easy setopt options. This made curl generate a badly formatted full URL when it would do a redirect, and the final re-parsing of the URL would then go bad and wrongly consider a part of the password field to belong to the host name. The wrong hostname would then be used in a name resolve lookup, potentially leaking the hostname + partial password in clear text over the network and in particular to the used DNS server(s). The password leak is triggered if an at sign (@) is used in the password field.

Recommendations For curl versions 7.62.0 through 7.70.0, update to a version that fixes the issue. As a temporary workaround, consider avoiding the use of the @ symbol in passwords to minimize the risk of exploitation. Additionally, restrict access to sensitive information and consider using alternative authentication methods that do not involve sending credentials in plain text.