DSA-2660-1 curl -- exposure of sensitive informationID: oval:org.secpod.oval:def:601007 | Date: (C)2013-04-22 (M)2023-12-07 |
Class: PATCH | Family: unix |
Yamada Yasuharu discovered that cURL, an URL transfer library, is vulnerable to expose potentially sensitive information when doing requests across domains with matching tails. Due to a bug in the tailmatch function when matching domain names, it was possible that cookies set for a domain "ample.com" could accidentally also be sent by libcurl when communicating with "example.com". Both curl the command line tool and applications using the libcurl library are vulnerable.