ALAS-2021-1509

Affecting curl package, versions <7.61.1-12.98.amzn1

Report new vulnerabilities
medium severity
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Amazon-Linux:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-22898: A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. 1964887: CVE-2021-22898 curl: TELNET stack contents disclosure CVE-2021-22876: 1941964: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.

Remediation

Upgrade Amazon-Linux:2018.03 curl to version 7.61.1-12.98.amzn1 or higher.
This issue was patched in None.

References

CVE
ALAS-2021-1509
Snyk ID
SNYK-AMZN201803-CURL-1316599
Published
13 Jul, 2021