CVE-2015-3236 — Sensitive Information Exposure in Curl

CWE-200 — Sensitive Information Exposure CWE-201 — Sensitive Info Insertion into Sent Data8 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

4.5%

top 10.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Haxx Libcurl

Timeline

PublishedJun 22

Latest updateMay 14

Description

cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDhaxx/libcurl4 versions+3

▶Debianhaxx/curl< 7.43.0-1+3

▶NVDhaxx/curl4 versions+3

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-x247-6f29-259j: cURL and libcurl 7↗2022-05-14

▶

OSV

CVE-2015-3236: cURL and libcurl 7↗2015-06-22

▶

CVEList

CVE-2015-3236: cURL and libcurl 7↗2015-06-22

▶

📋Vendor Advisories

Red Hat

curl: lingering HTTP credentials in connection re-use↗2015-06-17

▶

Debian

CVE-2015-3236: curl - cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication creden...↗2015

▶

💬Community

Bugzilla

CVE-2015-3236 curl: lingering HTTP credentials in connection re-use↗2015-06-19

▶

Bugzilla

CVE-2015-3237 CVE-2015-3236 curl: various flaws [fedora-all]↗2015-06-19

▶