CVE-2023-27536

CVSS V2 None CVSS V3 None
Description
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
Overview
  • CVE ID
  • CVE-2023-27536
  • Assigner
  • support@hackerone.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2023-03-30T20:15:07
  • Last Modified Date
  • 2023-04-21T23:15:20
Weakness Enumerations
CWE URL
CWE-287 http://cwe.mitre.org/data/definitions/287.html
CWE-305 http://cwe.mitre.org/data/definitions/305.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* 1 OR 7.22.0 7.88.1
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* 1 OR
References
Reference URL Reference Tags
https://hackerone.com/reports/1895135 Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/ Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20230420-0010/
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2023-27536
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536
History
Created Old Value New Value Data Type Notes
2023-04-17 03:56:13 Added to TrackCVE
2023-04-17 03:56:15 Weakness Enumeration new
2023-04-20 10:01:27 2023-04-20T09:15:09 CVE Modified Date updated
2023-04-20 10:01:27 Analyzed Modified Vulnerability Status updated
2023-04-20 10:01:31 References updated
2023-04-22 00:01:40 2023-04-21T23:15:20 CVE Modified Date updated
2023-04-22 00:01:43 References updated