PT-2021-4570 · Curl+9 · Curl+9
Viktor Szakats
·
Published
2021-02-12
·
Updated
2026-05-18
·
CVE-2021-22876
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
curl versions 7.1.1 through 7.75.0
Description
The issue is related to the exposure of private personal information to an unauthorized actor by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the
Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. This can be exploited by a remote attacker to gain access to confidential data.Recommendations
For curl versions 7.1.1 through 7.75.0, consider disabling the automatic population of the
Referer: HTTP request header field by not setting the CURLOPT AUTOREFERER option or by not using the --referer ";auto" option with the curl tool, until a patch is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Curl