CVE-2015-3153 — Sensitive Information Exposure in Curl

CWE-200 — Sensitive Information Exposure CWE-201 — Sensitive Info Insertion into Sent Data12 documents9 sources

Severity

5.0MEDIUMNVD

EPSS

9.8%

top 7.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Haxx Libcurl Oracle Enterprise Manager OPS Center +3 more

Timeline

PublishedMay 1

Latest updateMay 14

Description

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶NVDhaxx/libcurl7.42.0

▶Debianhaxx/curl< 7.42.1-1+3

▶NVDhaxx/curl7.42.0

▶NVDoracle/enterprise_manager_ops_center12.1.3+3

▶NVDapple/mac_os_x10.10.4

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 14.10, 15.1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-hwj5-x3jv-hmff: The default configuration for cURL and libcurl before 7↗2022-05-14

▶

CVEList

CVE-2015-3153: The default configuration for cURL and libcurl before 7↗2015-05-01

▶

OSV

CVE-2015-3153: The default configuration for cURL and libcurl before 7↗2015-05-01

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2015-04-30

▶

Red Hat

curl: sensitive HTTP server headers also sent to proxies↗2015-04-29

▶

Debian

CVE-2015-3153: curl - The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP h...↗2015

▶

Apple

CVE-2015-3153: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

CVE-2015-3153 mingw-curl: curl: sensitive HTTP server headers also sent to proxies [epel-7]↗2015-04-30

▶

Bugzilla

CVE-2015-3153 curl: sensitive HTTP server headers also sent to proxies↗2015-04-30

▶

Bugzilla

CVE-2015-3153 mingw-curl: curl: sensitive HTTP server headers also sent to proxies [fedora-all]↗2015-04-30

▶

Bugzilla

CVE-2015-3153 curl: sensitive HTTP server headers also sent to proxies [fedora-all]↗2015-04-30

▶