Remote Information Disclosure in cURL and libcurl by Curl
CVE-2015-3153

Currently unrated

Key Information:

Vendor: Oracle
Status: Enterprise Manager Ops Center
Vendor: CVE Published:; 1 May 2015

Summary

Earlier versions of cURL and libcurl, specifically before 7.42.1, are susceptible to a vulnerability that exposes sensitive information. Due to their default configuration, these libraries can inadvertently send custom HTTP headers to both the proxy and the destination server. This behavior may allow remote proxy servers to access and read the contents of these headers, potentially disclosing confidential information. Users of affected versions should review their configurations and apply necessary updates to mitigate the risks associated with this vulnerability.

References

https://kc.mcafee.com/corporate/index?page=content&id=SB1...

x_refsource_CONFIRM

http://www.securitytracker.com/id/1032233

vdb-entryx_refsource_SECTRACK

http://www.oracle.com/technetwork/topics/security/cpuoct2...

x_refsource_CONFIRM

Timeline

Vulnerability published
May 1, 2015
Vulnerability Reserved
Apr 10, 2015