CVE-2018-1000007

Public on 2018-02-07
Modified on 2019-01-09
Description
It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities.
Severity
Medium
CVSS v3 Base Score
6.5
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 curl 2018-02-07 18:08 ALAS2-2018-951
Amazon Linux 2 nss-pem 2019-01-07 21:51 ALAS2-2019-1139
Amazon Linux 1 curl 2018-02-20 20:57 ALAS-2018-951

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
NVD CVSSv3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H