Updated: 2024-03-27 20:12:35.590187
Description:
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | 0 | |
CVSS Version 3.x | MEDIUM | 5.9 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | curl | 7.76.1 | 5.9 | MEDIUM | Released | CLSA-2024:1719943814 | 2024-07-02 14:36:33 |
CentOS 6 ELS | curl | 7.19.7 | 5.9 | MEDIUM | Released | CLSA-2023:1681490707 | 2023-04-24 08:49:09 |
CentOS 7 ELS | curl | 7.29.0 | 5.9 | MEDIUM | Ignored | 2023-09-19 09:30:26 | |
CentOS 8.4 ELS | curl | 7.61.1 | 5.9 | MEDIUM | Released | CLSA-2023:1681491543 | 2023-04-14 14:04:46 |
CentOS 8.5 ELS | curl | 7.61.1 | 5.9 | MEDIUM | Released | CLSA-2023:1681491763 | 2023-04-14 14:04:48 |
CloudLinux 6 ELS | curl | 7.19.7 | 5.9 | MEDIUM | Released | CLSA-2023:1681490914 | 2023-04-24 08:49:09 |
Oracle Linux 6 ELS | curl | 7.19.7 | 5.9 | MEDIUM | Released | CLSA-2023:1681491163 | 2023-04-14 14:04:48 |
Ubuntu 16.04 ELS | curl | 7.47.0 | 5.9 | MEDIUM | Released | CLSA-2023:1681491348 | 2023-04-14 14:04:50 |
Ubuntu 18.04 ELS | curl | 7.58.0-2 | 5.9 | MEDIUM | Already Fixed | 2023-04-28 08:47:38 |