cvelistv5 - cve-2018-1000007

CVE-2018-1000007 (GCVE-0-2018-1000007)

Vulnerability from cvelistv5 – Published: 2018-01-24 22:00 – Updated: 2024-08-05 12:33

Summary

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://usn.ubuntu.com/3554-2/	vendor-advisoryx_refsource_UBUNTU
	https://usn.ubuntu.com/3554-1/	vendor-advisoryx_refsource_UBUNTU
	https://access.redhat.com/errata/RHSA-2018:3558	vendor-advisoryx_refsource_REDHAT
	https://www.debian.org/security/2018/dsa-4098	vendor-advisoryx_refsource_DEBIAN
	https://curl.haxx.se/docs/adv_2018-b3bf.html	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1040274	vdb-entryx_refsource_SECTRACK
	https://access.redhat.com/errata/RHSA-2018:3157	vendor-advisoryx_refsource_REDHAT
	https://lists.debian.org/debian-lts-announce/2018…	mailing-listx_refsource_MLIST
	https://access.redhat.com/errata/RHBA-2019:0327	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1543	vendor-advisoryx_refsource_REDHAT
	https://www.oracle.com/technetwork/security-advis…	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2020:0544	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0594	vendor-advisoryx_refsource_REDHAT
	http://www.openwall.com/lists/oss-security/2022/04/27/4	mailing-listx_refsource_MLIST

Show details on NVD website

	Vendor	Product	Description
	Oracle	N/A	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions antérieures à XCP2361 et antérieures à XCP3071
	Oracle	N/A	Oracle Solaris versions 10 et 11

Vendor	Product	Description
Juniper Networks	N/A	Contrail Service Orchestration (CSO) versions antérieures à 4.0.0 et 3.3.0
Juniper Networks	Junos Space	Junos Space versions antérieures à 18.1R1
Juniper Networks	Junos OS	Junos OS versions antérieures à 12.1X46-D45, 12.1X46-D67, 12.1X46-D76, 12.1X46-D77, 12.3R11, 12.3R12-S10, 12.3X48-D20, 12.3X48-D25, 12.3X48-D55, 12.3X48-D66, 12.3X48-D70, 12.3X54-D34, 14.1X53-D30, 14.1X53-D47, 15.1F5-S5, 15.1F6-S1, 15.1F6-S10, 15.1F7, 15.1R4-S5, 15.1R4-S9, 15.1R5, 15.1R6-S6, 15.1R7, 15.1R7-S1, 15.1R8, 15.1X49-D110, 15.1X49-D131, 15.1X49-D140, 15.1X49-D20, 15.1X49-D35, 15.1X53-D233, 15.1X53-D234, 15.1X53-D47, 15.1X53-D470, 15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D60, 15.1X53-D67, 15.1X54-D70, 15.1X8.3, 16.1R2, 16.1R3, 16.1R3-S8, 16.1R3-S9, 16.1R4-S10, 16.1R4-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S1, 16.1R6-S3, 16.1R6-S4, 16.1R7, 16.1X65-D46, 16.1X65-D47, 16.2R1, 16.2R1-S6, 16.2R1-S7, 16.2R2-S5, 16.2R2-S6, 16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S4, 17.2R1-S6, 17.2R2-S4, 17.2R2-S5, 17.2R3, 17.2X75-D100, 17.2X75-D110, 17.2X75-D70, 17.2X75-D90, 17.2X75-D91, 17.3R1, 17.3R1-S4, 17.3R2, 17.3R2-S2, 17.3R3, 17.4R1-S2, 17.4R1-S3, 17.4R1-S4, 17.4R2, 18.1R1, 18.1R2, 18.1X75-D10, 18.2R1, 18.2X75-D10 et 18.2X75-D5

URL	Tags
cve@mitre.org	http://www.openwall.com/lists/oss-security/2022/04/27/4	Mailing List, Third Party Advisory
cve@mitre.org	http://www.securitytracker.com/id/1040274	Third Party Advisory, VDB Entry
cve@mitre.org	https://access.redhat.com/errata/RHBA-2019:0327	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:3157	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:3558	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2019:1543	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2020:0544	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2020:0594	Third Party Advisory
cve@mitre.org	https://curl.haxx.se/docs/adv_2018-b3bf.html	Patch, Vendor Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2018/01/msg00038.html	Mailing List, Third Party Advisory
cve@mitre.org	https://usn.ubuntu.com/3554-1/	Third Party Advisory
cve@mitre.org	https://usn.ubuntu.com/3554-2/	Third Party Advisory
cve@mitre.org	https://www.debian.org/security/2018/dsa-4098	Third Party Advisory
cve@mitre.org	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/04/27/4	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1040274	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHBA-2019:0327	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:3157	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:3558	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2019:1543	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2020:0544	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2020:0594	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://curl.haxx.se/docs/adv_2018-b3bf.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2018/01/msg00038.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/3554-1/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/3554-2/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2018/dsa-4098	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch, Third Party Advisory

Vendor	Product	Version
haxx	curl	*
debian	debian_linux	7.0
debian	debian_linux	8.0
debian	debian_linux	9.0
canonical	ubuntu_linux	12.04
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	17.10
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_server_aus	7.4
redhat	enterprise_linux_server_eus	7.4
redhat	enterprise_linux_server_eus	7.5
redhat	enterprise_linux_workstation	7.0
fujitsu	m10-1_firmware	*
fujitsu	m10-1	-
fujitsu	m10-4_firmware	*
fujitsu	m10-4	-
fujitsu	m10-4s_firmware	*
fujitsu	m10-4s	-
fujitsu	m12-1_firmware	*
fujitsu	m12-1	-
fujitsu	m12-2_firmware	*
fujitsu	m12-2	-
fujitsu	m12-2s_firmware	*
fujitsu	m12-2s	-
fujitsu	m10-1_firmware	*
fujitsu	m10-1	-
fujitsu	m10-4_firmware	*
fujitsu	m10-4	-
fujitsu	m10-4s_firmware	*
fujitsu	m10-4s	-
fujitsu	m12-1_firmware	*
fujitsu	m12-1	-
fujitsu	m12-2_firmware	*
fujitsu	m12-2	-
fujitsu	m12-2s_firmware	*
fujitsu	m12-2s	-

Action not permitted

CVE-2018-1000007 (GCVE-0-2018-1000007)

Solution

Solution

Solution

Solution

Solution

Solution

Tags

Sightings

Nomenclature