Lucene search

K
amazonAmazonALAS-2021-1509
HistoryJul 08, 2021 - 6:38 p.m.

Medium: curl

2021-07-0818:38:00
alas.aws.amazon.com
18

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.009 Low

EPSS

Percentile

83.0%

Issue Overview:

It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. (CVE-2021-22876)

A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22898)

Affected Packages:

curl

Issue Correction:
Run yum update curl to update your system.

New Packages:

i686:  
    curl-debuginfo-7.61.1-12.98.amzn1.i686  
    libcurl-devel-7.61.1-12.98.amzn1.i686  
    curl-7.61.1-12.98.amzn1.i686  
    libcurl-7.61.1-12.98.amzn1.i686  
  
src:  
    curl-7.61.1-12.98.amzn1.src  
  
x86_64:  
    curl-debuginfo-7.61.1-12.98.amzn1.x86_64  
    libcurl-7.61.1-12.98.amzn1.x86_64  
    libcurl-devel-7.61.1-12.98.amzn1.x86_64  
    curl-7.61.1-12.98.amzn1.x86_64  

Additional References

Red Hat: CVE-2021-22876, CVE-2021-22898

Mitre: CVE-2021-22876, CVE-2021-22898

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.009 Low

EPSS

Percentile

83.0%