UBUNTU-CVE-2018-1000007
See a problem?- Source
- https://ubuntu.com/security/notices/UBUNTU-CVE-2018-1000007
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-1000007.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2018-1000007
- Related
- Published
- 2018-01-24T00:00:00Z
- Modified
- 2018-01-24T00:00:00Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the
Location:response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on customAuthorization:headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. - References
Affected packages
Ubuntu:14.04:LTS / curl
Package
- Name
- curl
- Purl
- pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.14?arch=src?distro=trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.35.0-1ubuntu2.14
Affected versions
7.*
7.32.0-1ubuntu1
7.33.0-1ubuntu1
7.34.0-1ubuntu1
7.35.0-1ubuntu1
7.35.0-1ubuntu2
7.35.0-1ubuntu2.1
7.35.0-1ubuntu2.2
7.35.0-1ubuntu2.3
7.35.0-1ubuntu2.5
7.35.0-1ubuntu2.6
7.35.0-1ubuntu2.7
7.35.0-1ubuntu2.8
7.35.0-1ubuntu2.9
7.35.0-1ubuntu2.10
7.35.0-1ubuntu2.11
7.35.0-1ubuntu2.12
7.35.0-1ubuntu2.13
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"curl-udeb": "7.35.0-1ubuntu2.14",
"libcurl3": "7.35.0-1ubuntu2.14",
"libcurl4-gnutls-dev": "7.35.0-1ubuntu2.14",
"libcurl3-dbgsym": "7.35.0-1ubuntu2.14",
"libcurl3-nss": "7.35.0-1ubuntu2.14",
"libcurl4-doc": "7.35.0-1ubuntu2.14",
"libcurl3-udeb-dbgsym": "7.35.0-1ubuntu2.14",
"libcurl3-gnutls-dbgsym": "7.35.0-1ubuntu2.14",
"libcurl4-openssl-dev": "7.35.0-1ubuntu2.14",
"libcurl4-openssl-dev-dbgsym": "7.35.0-1ubuntu2.14",
"curl-dbgsym": "7.35.0-1ubuntu2.14",
"curl": "7.35.0-1ubuntu2.14",
"libcurl3-udeb": "7.35.0-1ubuntu2.14",
"curl-udeb-dbgsym": "7.35.0-1ubuntu2.14",
"libcurl4-nss-dev-dbgsym": "7.35.0-1ubuntu2.14",
"libcurl3-gnutls": "7.35.0-1ubuntu2.14",
"libcurl4-gnutls-dev-dbgsym": "7.35.0-1ubuntu2.14",
"libcurl3-nss-dbgsym": "7.35.0-1ubuntu2.14",
"libcurl3-dbg": "7.35.0-1ubuntu2.14",
"libcurl4-nss-dev": "7.35.0-1ubuntu2.14"
}
]
}
Ubuntu:16.04:LTS / curl
Package
- Name
- curl
- Purl
- pkg:deb/ubuntu/curl@7.47.0-1ubuntu2.6?arch=src?distro=xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.47.0-1ubuntu2.6
Affected versions
7.*
7.43.0-1ubuntu2
7.45.0-1ubuntu1
7.46.0-1ubuntu1
7.47.0-1ubuntu1
7.47.0-1ubuntu2
7.47.0-1ubuntu2.1
7.47.0-1ubuntu2.2
7.47.0-1ubuntu2.3
7.47.0-1ubuntu2.4
7.47.0-1ubuntu2.5
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"libcurl3": "7.47.0-1ubuntu2.6",
"libcurl4-gnutls-dev": "7.47.0-1ubuntu2.6",
"libcurl3-dbgsym": "7.47.0-1ubuntu2.6",
"libcurl3-nss": "7.47.0-1ubuntu2.6",
"libcurl4-doc": "7.47.0-1ubuntu2.6",
"libcurl3-gnutls-dbgsym": "7.47.0-1ubuntu2.6",
"libcurl4-openssl-dev": "7.47.0-1ubuntu2.6",
"libcurl4-openssl-dev-dbgsym": "7.47.0-1ubuntu2.6",
"curl-dbgsym": "7.47.0-1ubuntu2.6",
"curl": "7.47.0-1ubuntu2.6",
"libcurl4-nss-dev-dbgsym": "7.47.0-1ubuntu2.6",
"libcurl3-gnutls": "7.47.0-1ubuntu2.6",
"libcurl4-gnutls-dev-dbgsym": "7.47.0-1ubuntu2.6",
"libcurl3-nss-dbgsym": "7.47.0-1ubuntu2.6",
"libcurl3-dbg": "7.47.0-1ubuntu2.6",
"libcurl4-nss-dev": "7.47.0-1ubuntu2.6"
}
]
}