{"id":"CURL-CVE-2015-3153","summary":"sensitive HTTP server headers also sent to proxies","details":"libcurl provides applications a way to set custom HTTP headers to be sent to\nthe server by using `CURLOPT_HTTPHEADER`. A similar option is available for\nthe curl command-line tool with the '--header' option.\n\nWhen the connection passes through an HTTP proxy the same set of headers is\nsent to the proxy as well by default. While this is by design, it has not\nnecessarily been clear nor understood by application programmers.\n\nSuch tunneling over a proxy is done for example when using the HTTPS protocol\n- or when explicitly asked for. In this case, the initial connection to the\nproxy is made in clear including any custom headers using the HTTP CONNECT\nmethod.\n\nWhile libcurl provides the `CURLOPT_HEADEROPT` option to allow applications to\ntell libcurl if the headers should be sent to host and the proxy or use\nseparate lists to the different destinations, it has still defaulted to\nsending the same headers to both parties for the sake of compatibility.\n\nIf the application sets a custom HTTP header with sensitive content (e.g.,\nauthentication cookies) without changing the default, the proxy, and anyone\nwho listens to the traffic between the application and the proxy, might get\naccess to those values.\n\nNote: this problem does not exist when using the `CURLOPT_COOKIE` option (or\nthe `--cookie` option) or the HTTP auth options, which are always sent only to\nthe destination server.","aliases":["CVE-2015-3153"],"modified":"2024-06-07T13:53:51Z","published":"2015-04-29T08:00:00Z","database_specific":{"affects":"both","URL":"https://curl.se/docs/CVE-2015-3153.json","package":"curl","severity":"High","last_affected":"7.42.0","www":"https://curl.se/docs/CVE-2015-3153.html","CWE":{"id":"CWE-201","desc":"Information Exposure Through Sent Data"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"4.0"},{"fixed":"7.42.1"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ae1912cb0d494b48d514d937826c9fe83ec96c4d"},{"fixed":"6ba2e88a642434bd0ffa95465e4a7d034d03ea10"}]}],"versions":["7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11","5.10","5.9.1","5.9","5.8","5.7.1","5.7","5.5.1","5.5","5.4","5.3","5.2.1","5.2","5.0","4.10","4.9","4.8.4","4.8.3","4.8.2","4.8.1","4.8","4.7","4.6","4.5.1","4.5","4.4","4.3","4.2","4.1","4.0"],"database_specific":{"vanir_signatures":[{"target":{"function":"Curl_init_userdefined","file":"lib/url.c"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/6ba2e88a642434bd0ffa95465e4a7d034d03ea10","signature_type":"Function","id":"CURL-CVE-2015-3153-536e1702","digest":{"function_hash":"112562045243783054185468152969743205243","length":2566},"deprecated":false},{"target":{"file":"lib/url.c"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/6ba2e88a642434bd0ffa95465e4a7d034d03ea10","signature_type":"Line","id":"CURL-CVE-2015-3153-a7c24e28","digest":{"line_hashes":["235776317782695064748682045941291273372","313476709949763530481507662607641516986","224412127183252428235313325283823781033","292226583050003026211110279524150168941"],"threshold":0.9},"deprecated":false},{"target":{"function":"test","file":"tests/libtest/lib1527.c"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/6ba2e88a642434bd0ffa95465e4a7d034d03ea10","signature_type":"Function","id":"CURL-CVE-2015-3153-b3e82869","digest":{"function_hash":"98044783771648908736397801533184611125","length":1276},"deprecated":false},{"target":{"file":"tests/libtest/lib1527.c"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/6ba2e88a642434bd0ffa95465e4a7d034d03ea10","signature_type":"Line","id":"CURL-CVE-2015-3153-d0016f9f","digest":{"line_hashes":["184837749055694259736647071052214275989","302681778085958670063024681149007089641","216082381897291005259430578210534282846","137813027445489953342252715511805106260"],"threshold":0.9},"deprecated":false}],"source":"https://curl.se/docs/CURL-CVE-2015-3153.json"}}],"schema_version":"1.7.3","credits":[{"name":"Yehezkel Horowitz","type":"FINDER"},{"name":"Oren Souroujon","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}