Lucene search

K
hackeroneNyymiH1:1213181
HistoryMay 30, 2021 - 9:32 p.m.

curl: CVE-2021-22923: Metalink download sends credentials

2021-05-3021:32:16
nyymi
hackerone.com
$700
60

EPSS

0.002

Percentile

56.7%

Summary:

When compiled --with-libmetalink and used with --metalink and --user curl will use the credentials for any further transfers performed. This includes different hosts and protocols, even ones without transport layer security such as http and ftp. As a result the credentials only intended for the target site may end up being sent to outside hosts, and without transport layer security, and may be intercepted by attackers in man in the middle network position.

For example HTTP redirects will not leak the credentials to other hosts unless if --location-trusted is used, thus this is unexpected and insecure behaviour.

Steps To Reproduce:

  1. Configure libcurl --with-libmetalink and build libcurl
  2. Have metalinktest.xml with <url> referencing data on different host than testsite and using http protocol
  3. Execute: curl --metalink --user professor:Joshua https://testsite/metalinktest.xml

The credentials can be seen by the target host and anyone in man in the middle position:
Authorization: Basic cHJvZmVzc29yOkpvc2h1YQ==

Remarks

CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) might be a more accurate CWE.

Fix

  • Perhaps --location-trusted should be extended to apply to --metalink as well

Impact

Leak of credentials to unauthorized parties§