Vulnerability CVE-2023-27536: Information
Description
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
curl | sisyphus | 8.0.0-alt1 | 8.7.1-alt2 | ALT-PU-2023-1475-1 | 317011 | Fixed |
curl | sisyphus_e2k | 8.0.0-alt1 | 8.7.1-alt2 | ALT-PU-2023-2920-1 | - | Fixed |
curl | sisyphus_riscv64 | 8.0.1-alt1 | 8.7.1-alt2 | ALT-PU-2023-2904-1 | - | Fixed |
curl | p10 | 8.0.1-alt1 | 8.7.1-alt1 | ALT-PU-2023-1501-1 | 317014 | Fixed |
curl | p10_e2k | 8.0.1-alt1 | 8.7.1-alt1 | ALT-PU-2023-2950-1 | - | Fixed |
curl | c10f1 | 8.0.1-alt1 | 8.6.0-alt1 | ALT-PU-2023-1501-1 | 317014 | Fixed |
curl | c9f2 | 8.3.0-alt1 | 8.6.0-alt1 | ALT-PU-2023-5727-4 | 329877 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://hackerone.com/reports/1895135 |
|
https://security.netapp.com/advisory/ntap-20230420-0010/ |
|
[debian-lts-announce] 20230421 [SECURITY] [DLA 3398-1] curl security update |
|
GLSA-202310-12 |
|
FEDORA-2023-7e7414e64d |
|