CVE-2018-1000007

Public on 2018-01-24

Modified on 2019-01-09

Description

It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities.

Severity

Medium

See what this means

CVSS v3 Base Score

6.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	curl	2018-02-20 20:57	ALAS-2018-951
Amazon Linux 2 - Core	curl	2018-02-07 18:08	ALAS2-2018-951
Amazon Linux 2 - Core	nss-pem	2019-01-07 21:51	ALAS2-2019-1139

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:P/I:N/A:N
NVD	CVSSv3	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2018-1000007 Mitre: CVE-2018-1000007 FAQs regarding Amazon Linux ALAS/CVE Severity