#VU10224 Information disclosure in libcurl - CVE-2018-1000007
Published: January 25, 2018
Vulnerability identifier: #VU10224
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1000007
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
libcurl
libcurl
Software vendor:
curl.haxx.se
curl.haxx.se
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send custom headers in an HTTP request and an HTTP 30X redirect response code, cause the application to send the custom headers to the server specified in the 'Location:' response header and obtain potentially sensitive authentication information from applications that use custom 'Authorization:' headers.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send custom headers in an HTTP request and an HTTP 30X redirect response code, cause the application to send the custom headers to the server specified in the 'Location:' response header and obtain potentially sensitive authentication information from applications that use custom 'Authorization:' headers.
Remediation
Update to version 7.58.0.