CVE-2022-27774: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82...

The vulnerability (CVE-2022-27774) describes a credential leak when curl follows HTTP(S) redirects with authentication to different protocols or port numbers. The commit af2d6743a13537989495b660b85f4997045b521c, titled 'http: clear auth details on host/port/scheme change', directly addresses this. The core logic change is within the Curl_follow function in lib/http.c. This function decides whether to carry over authentication credentials during a redirect. The patch introduces checks for hostname, port, and scheme mismatches between the original and redirected URLs. If a mismatch occurs, the authentication details (data->state.aptr.user, data->state.aptr.passwd, and related state flags) are now explicitly cleared. The absence of this clearing logic before the patch is the vulnerability. Therefore, Curl_follow is the key function that, when processing a redirect under vulnerable conditions, would lead to the credential leak and would appear in a runtime profile during exploitation.