CVE-2021-22876

curl 7.1.1 to and including 7.75.0 is vulnerable to an Exposure of Private Personal Information to an Unauthorized Actor by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Weakness

The product does not properly prevent a person’s private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Affected Software

Potential Mitigations

• Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others.
• Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/464.html
• https://cwe.mitre.org/data/definitions/467.html
• https://cwe.mitre.org/data/definitions/498.html
• https://cwe.mitre.org/data/definitions/508.html

References

• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://curl.se/docs/CVE-2021-22876.html
• https://hackerone.com/reports/1101882
• https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/
• https://security.gentoo.org/glsa/202105-36
• https://security.netapp.com/advisory/ntap-20210521-0007/
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://curl.se/docs/CVE-2021-22876.html
• https://hackerone.com/reports/1101882
• https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/
• https://security.gentoo.org/glsa/202105-36
• https://security.netapp.com/advisory/ntap-20210521-0007/
• https://www.oracle.com//security-alerts/cpujul2021.html