Versions mentioned in the description apply to the upstream
Remediation section below for
Amazon-Linux:2018.03 relevant versions.
Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-22898: A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. 1964887: CVE-2021-22898 curl: TELNET stack contents disclosure CVE-2021-22876: 1941964: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.
curl to version 7.61.1-12.98.amzn1 or higher.
This issue was patched in