Project curl Security Advisory, August 3rd 2003 - Permalink
When curl connected to a site via an HTTP proxy with the CONNECT request, the user and password used for the proxy connection was also sent off to the remote server.
securityfocus.com referred to it as BID 8432
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2003-1605 to this issue.
CWE-201: Information Exposure Through Sent Data
Severity: High
- Affected versions: curl 4.5 to and including curl 7.10.6
- Not affected versions: curl < 4.5 and curl >= 7.10.7
- Introduced-in: https://github.com/curl/curl/commit/ae1912cb0d494b48d51
This was not reported using the regular means so we did not make a standard time line for this issue.
We have no recording of who reported this.
- Reported-by: unknown