CVE-2023-27536

Updated: 2024-03-27 20:12:35.590187

Description:

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 5.9

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU curl 7.76.1 5.9 MEDIUM Released CLSA-2024:1719943814 2024-07-02 14:36:33
CentOS 6 ELS curl 7.19.7 5.9 MEDIUM Released CLSA-2023:1681490707 2023-04-24 08:49:09
CentOS 7 ELS curl 7.29.0 5.9 MEDIUM Ignored 2023-09-19 09:30:26
CentOS 8.4 ELS curl 7.61.1 5.9 MEDIUM Released CLSA-2023:1681491543 2023-04-14 14:04:46
CentOS 8.5 ELS curl 7.61.1 5.9 MEDIUM Released CLSA-2023:1681491763 2023-04-14 14:04:48
CloudLinux 6 ELS curl 7.19.7 5.9 MEDIUM Released CLSA-2023:1681490914 2023-04-24 08:49:09
Oracle Linux 6 ELS curl 7.19.7 5.9 MEDIUM Released CLSA-2023:1681491163 2023-04-14 14:04:48
Ubuntu 16.04 ELS curl 7.47.0 5.9 MEDIUM Released CLSA-2023:1681491348 2023-04-14 14:04:50
Ubuntu 18.04 ELS curl 7.58.0-2 5.9 MEDIUM Already Fixed 2023-04-28 08:47:38