haxx libcurl CVE-2021-22876 vulnerability in Haxx and Other Products
Published on April 1, 2021

product logo product logo product logo product logo product logo product logo product logo product logo
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-22876 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is a Privacy violation Vulnerability?

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CVE-2021-22876 has been classified to as a Privacy violation vulnerability or weakness.


Products Associated with CVE-2021-22876

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-22876 are published in these products:

Haxx Libcurl
 
Fedora Project Fedora
 
NetApp Hci Management Node
 
NetApp Solidfire
 
NetApp Hci Storage Node
 
Broadcom Fabric Operating System
 
Debian Linux
 
NetApp Hci Compute Node
 
Siemens Sinec Infrastructure Network Services
 
Oracle Communications Billing Revenue Management
 
Oracle Essbase
 
Splunk Universal Forwarder
 

Exploit Probability

EPSS
0.07%
Percentile
20.90%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.