Updated: 2024-11-30 03:14:00.778384
Description:
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | 0 | |
CVSS Version 3.x | MEDIUM | 5.9 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | curl | 7.76.1 | 5.9 | MEDIUM | Ignored | 2023-11-08 04:07:59 | ||
CentOS 6 ELS | curl | 7.19.7 | 5.9 | MEDIUM | Released | CLSA-2023:1681490707 | 2023-04-24 08:49:10 | |
CentOS 7 ELS | curl | 7.29.0 | 5.9 | MEDIUM | Ignored | 2023-09-19 09:30:26 | ||
CentOS 8.4 ELS | curl | 7.61.1 | 5.9 | MEDIUM | Released | CLSA-2023:1681491543 | 2023-04-14 14:04:50 | |
CentOS 8.5 ELS | curl | 7.61.1 | 5.9 | MEDIUM | Released | CLSA-2023:1681491763 | 2023-04-14 14:04:53 | |
CloudLinux 6 ELS | curl | 7.19.7 | 5.9 | MEDIUM | Released | CLSA-2023:1681490914 | 2023-04-24 08:49:10 | |
Oracle Linux 6 ELS | curl | 7.19.7 | 5.9 | MEDIUM | Released | CLSA-2023:1681491163 | 2023-04-14 14:04:52 | |
Ubuntu 16.04 ELS | curl | 7.47.0 | 5.9 | MEDIUM | Released | CLSA-2023:1681491348 | 2023-04-14 14:04:54 | |
Ubuntu 18.04 ELS | curl | 7.58.0-2 | 5.9 | MEDIUM | Already Fixed | 2023-04-28 08:47:38 |