JLSEC-2026-388 · Julia Security Advisories

JLSEC-2026-388

JLSEC Published: May 4, 2026
Modified: May 4, 2026
Affected Packages: CURL_jll < 8.5.0+0
LibCURL_jll < 7.83.1+0
Aliases / Upstream: CVE-2022-27776

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

References

https://hackerone.com/reports/1547048
https://hackerone.com/reports/1547048
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7N5ZBWLNNPZKFK7Q4KEHGCJ2YELQEUJP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7N5ZBWLNNPZKFK7Q4KEHGCJ2YELQEUJP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/
https://security.gentoo.org/glsa/202212-01
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220609-0008/
https://security.netapp.com/advisory/ntap-20220609-0008/
https://www.debian.org/security/2022/dsa-5197
https://www.debian.org/security/2022/dsa-5197