CVE-2023-27535

Updated: 2024-11-30 03:14:00.778384

Description:

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 5.9

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

AlmaLinux 9.2 ESU curl 7.76.1 5.9 MEDIUM Ignored 2023-11-08 04:07:59
CentOS 6 ELS curl 7.19.7 5.9 MEDIUM Released CLSA-2023:1681490707 2023-04-24 08:49:10
CentOS 7 ELS curl 7.29.0 5.9 MEDIUM Ignored 2023-09-19 09:30:26
CentOS 8.4 ELS curl 7.61.1 5.9 MEDIUM Released CLSA-2023:1681491543 2023-04-14 14:04:50
CentOS 8.5 ELS curl 7.61.1 5.9 MEDIUM Released CLSA-2023:1681491763 2023-04-14 14:04:53
CloudLinux 6 ELS curl 7.19.7 5.9 MEDIUM Released CLSA-2023:1681490914 2023-04-24 08:49:10
Oracle Linux 6 ELS curl 7.19.7 5.9 MEDIUM Released CLSA-2023:1681491163 2023-04-14 14:04:52
Ubuntu 16.04 ELS curl 7.47.0 5.9 MEDIUM Released CLSA-2023:1681491348 2023-04-14 14:04:54
Ubuntu 18.04 ELS curl 7.58.0-2 5.9 MEDIUM Already Fixed 2023-04-28 08:47:38