#VU51821 Information disclosure in cURL - CVE-2021-22876
Published: March 31, 2021
Vulnerability identifier: #VU51821
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-22876
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
cURL
cURL
Software vendor:
curl.haxx.se
curl.haxx.se
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to libcurl does not strip off user credentials from the URL when automatically populating the Referer:
HTTP request header field in outgoing HTTP requests and therefore
risks leaking sensitive data to the server that is the target of the
second HTTP request.
Remediation
Install updates from vendor's website.