FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

curl -- Automatic referer leaks credentials

Affected packages
7.1.1 <= curl < 7.76.0

Details

VuXML ID b1194286-958e-11eb-9c34-080027f515ea
Discovery 2021-03-31
Entry 2021-04-10

Daniel Stenberg reports:

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".

References

CVE Name CVE-2021-22876
URL https://curl.se/docs/CVE-2021-22876.html