Amazon Linux AMI Security Advisory: ALAS-2021-1509
Advisory Release Date: 2021-07-08 18:38 Pacific
Advisory Updated Date: 2021-07-12 21:48 Pacific
It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. (CVE-2021-22876)
A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22898)
Run yum update curl to update your system.