Alpine: libcurl, multiple curl packages: security update to 7.76.0-r0

medium Tenable Self-Hosted Container Security Plugin ID 423818

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an
Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user
credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing
HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second
HTTP request. (CVE-2021-22876)

- curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a
connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl
can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote
server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can
trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS
certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious
HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to
work - unless curl has been told to ignore the server certificate check. (CVE-2021-22890)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-22876

https://security.alpinelinux.org/vuln/CVE-2021-22890

Plugin Details

Severity: Medium

ID: 423818

Version: Revision 1.10

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-22876

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/1/2021

Reference Information

CVE: CVE-2021-22876, CVE-2021-22890