{"id":"CURL-CVE-2015-3236","summary":"lingering HTTP credentials in connection reuse","details":"libcurl can wrongly send HTTP credentials when reusing connections.\n\nlibcurl allows applications to set credentials for the upcoming transfer with\nHTTP Basic authentication, like with `CURLOPT_USERPWD` for example. Name and\npassword. Just like all other libcurl options the credentials are sticky and\nare kept associated with the \"handle\" until something is made to change the\nsituation.\n\nFurther, libcurl offers a `curl_easy_reset()` function that resets a handle\nback to its pristine state in terms of all settable options. A reset is of\ncourse also supposed to clear the credentials. A reset is typically used to\nclear up the handle and prepare it for a new, possibly unrelated, transfer.\n\nWithin such a handle, libcurl can also store a set of previous connections in\ncase a second transfer is requested to a hostname for which an existing\nconnection is already kept alive.\n\nWith this flaw present, using the handle even after a reset would make libcurl\naccidentally use those credentials in a subsequent request if done to the same\nhostname and connection as was previously accessed.\n\nAn example case would be first requesting a password protected resource from\none section of a website, and then do a second request of a public resource\nfrom a completely different part of the site without authentication. This flaw\nwould then inadvertently leak the credentials in the second request.","aliases":["CVE-2015-3236"],"modified":"2026-04-25T16:17:54.489021Z","published":"2015-06-17T08:00:00Z","database_specific":{"last_affected":"7.42.1","CWE":{"id":"CWE-305","desc":"Authentication Bypass by Primary Weakness"},"www":"https://curl.se/docs/CVE-2015-3236.html","severity":"High","affects":"both","package":"curl","URL":"https://curl.se/docs/CVE-2015-3236.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.40.0"},{"fixed":"7.43.0"}]}],"versions":["7.42.1","7.42.0","7.41.0","7.40.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2015-3236.json"}}],"schema_version":"1.7.5","credits":[{"name":"Tomas Tomecek","type":"FINDER"},{"name":"Kamil Dudka","type":"FINDER"},{"name":"Kamil Dudka","type":"REMEDIATION_DEVELOPER"}]}