Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / Auth/cookie leak on redirect
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 480 USD

CVE-2022-27776

Auth/cookie leak on redirect

Project curl Security Advisory, April 27 2022 - Permalink

VULNERABILITY

curl might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme. Contrary to expectation and intention.

Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom Authorization: or Cookie: headers, as those headers often contain privacy sensitive information or data.

curl and libcurl have options that allow users to opt out from this check, but that is not set by default.

INFO

This flaw was added in curl 4.9 with the introduction of --location and has been present in all libcurl versions ever released. In July 2000 in the curl 7.1.1 release, this commit was the first version that attempted to avoid this, but the check has been bad since then.

In 2018, CVE-2018-1000007 was reported that partly addressed this area - but in an incomplete way.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-27776 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Low

AFFECTED VERSIONS

Also note that libcurl is used by many applications, and not always advertised as such.

SOLUTION

In curl version 7.83.0, the same-host check is extended to check the port number and protocol as well.

RECOMMENDATIONS

A - Upgrade curl to version 7.83.0

B - Apply the patch to your local version

C - Do not enable CURLOPT_FOLLOWLOCATION if you pass on custom Authorization: headers or cookies.

TIMELINE

This issue was reported to the curl project on April 21, 2022. We contacted distros@openwall on April 22.

libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!