9.8

CVE-2018-1000007

EPSS 2.93%
Published 24.01.2018 22:29:00
Last modified 21.11.2024 03:39:24
Source cve@mitre.org
Teams watchlist Login
Open Login

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.

Affected products Warnungen 0 Metrics 3 CWE 0 References 17

Data is provided by the National Vulnerability Database (NVD)

Haxx ≫ Curl Version >= 7.1 <= 7.57.0

Debian ≫ Debian Linux Version7.0

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Canonical ≫ Ubuntu Linux Version12.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version14.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version17.10

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Server Aus Version7.4

Redhat ≫ Enterprise Linux Server Eus Version7.4

Redhat ≫ Enterprise Linux Server Eus Version7.5

Redhat ≫ Enterprise Linux Workstation Version7.0

Fujitsu ≫ M10-1 Firmware Version < xcp2361

Fujitsu ≫ M10-1 Version-

Fujitsu ≫ M10-4 Firmware Version < xcp2361

Fujitsu ≫ M10-4 Version-

Fujitsu ≫ M10-4s Firmware Version < xcp2361

Fujitsu ≫ M10-4s Version-

Fujitsu ≫ M12-1 Firmware Version < xcp2361

Fujitsu ≫ M12-1 Version-

Fujitsu ≫ M12-2 Firmware Version < xcp2361

Fujitsu ≫ M12-2 Version-

Fujitsu ≫ M12-2s Firmware Version < xcp2361

Fujitsu ≫ M12-2s Version-

Fujitsu ≫ M10-1 Firmware Version < xcp3070

Fujitsu ≫ M10-1 Version-

Fujitsu ≫ M10-4 Firmware Version < xcp3070

Fujitsu ≫ M10-4 Version-

Fujitsu ≫ M10-4s Firmware Version < xcp3070

Fujitsu ≫ M10-4s Version-

Fujitsu ≫ M12-1 Firmware Version < xcp3070

Fujitsu ≫ M12-1 Version-

Fujitsu ≫ M12-2 Firmware Version < xcp3070

Fujitsu ≫ M12-2 Version-

Fujitsu ≫ M12-2s Firmware Version < xcp3070

Fujitsu ≫ M12-2s Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.93%	0.859

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Patch

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3558

Third Party Advisory

https://access.redhat.com/errata/RHBA-2019:0327

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1543

Third Party Advisory

https://usn.ubuntu.com/3554-1/

Third Party Advisory

https://www.debian.org/security/2018/dsa-4098

Third Party Advisory

http://www.openwall.com/lists/oss-security/2022/04/27/4

Third Party Advisory

Mailing List

http://www.securitytracker.com/id/1040274

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2018:3157

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0544

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0594

Third Party Advisory

https://curl.haxx.se/docs/adv_2018-b3bf.html

Patch

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2018/01/msg00038.html

Third Party Advisory

Mailing List

https://usn.ubuntu.com/3554-2/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-1000007

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-1000007

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-1000007

EUVD