libcurl 7.12.0 < 8.20.0 Cross-Proxy Digest Auth State Leak

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(311422);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/15");

  script_cve_id("CVE-2026-7168");
  script_xref(name:"IAVA", value:"2026-A-0397");

  script_name(english:"libcurl 7.12.0 < 8.20.0 Cross-Proxy Digest Auth State Leak");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a program that is affected by a cross-proxy digest auth state leak vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of libcurl installed on the remote host is 7.12.0 prior to 8.20.0. It is, therefore, affected by
a cross-proxy digest auth state leak vulnerability:

  - libcurl improperly handles Digest authentication headers when reusing handles across different HTTP
    proxies. When a client switches from one proxy to another using the same connection handle, the
    library incorrectly forwards the Proxy-Authorization header intended for the first proxy to the
    second one. An evil proxyB could use this incoming request header field to impersonate the client
    in communicating with proxyA, as the header contains the authenticated state. (CVE-2026-7168)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://curl.se/docs/CVE-2026-7168.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade libcurl to version 8.20.0 or later");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-7168");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:haxx:libcurl");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("libcurl_nix_installed.nbin", "libcurl_win_installed.nbin");
  script_require_keys("installed_sw/libcurl");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'libcurl', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints': [
        {'min_version': '7.12.0', 'fixed_version': '8.20.0'}
      ]
    }
  ]
};

var res = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING, check_backporting:TRUE);
vdf::handle_check_and_report_errors(vdf_result:res);