Уязвимость CVE-2023-27536: Информация
Описание
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
Важность: MEDIUM (5,9) Вектор: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Исправленные пакеты
Имя пакета | Ветка | Исправлено в версии | Версия в репозитории | Errata ID | № Задания | Состояние |
|---|---|---|---|---|---|---|
| curl | sisyphus | 8.0.0-alt1 | 8.7.1-alt2 | ALT-PU-2023-1475-1 | 317011 | Исправлено |
| curl | sisyphus_e2k | 8.0.0-alt1 | 8.7.1-alt2 | ALT-PU-2023-2920-1 | - | Исправлено |
| curl | sisyphus_riscv64 | 8.0.1-alt1 | 8.7.1-alt2 | ALT-PU-2023-2904-1 | - | Исправлено |
| curl | p10 | 8.0.1-alt1 | 8.7.1-alt2 | ALT-PU-2023-1501-1 | 317014 | Исправлено |
| curl | p10_e2k | 8.0.1-alt1 | 8.7.1-alt2 | ALT-PU-2023-2950-1 | - | Исправлено |
| curl | c10f1 | 8.0.1-alt1 | 8.6.0-alt1 | ALT-PU-2023-1501-1 | 317014 | Исправлено |
| curl | c9f2 | 8.3.0-alt1 | 8.6.0-alt1 | ALT-PU-2023-5727-4 | 329877 | Исправлено |
Ссылки на рекомендации, решения и инструменты
Ссылка | Ресурс |
|---|---|
| https://hackerone.com/reports/1895135 |
|
| https://security.netapp.com/advisory/ntap-20230420-0010/ |
|
| [debian-lts-announce] 20230421 [SECURITY] [DLA 3398-1] curl security update |
|
| GLSA-202310-12 |
|
| FEDORA-2023-7e7414e64d |
|