CVE-2015-3143 — Improper Authentication in Curl

CWE-287 — Improper Authentication13 documents9 sources

Severity

5.0MEDIUMNVD

CNA4.0OSV4.0

EPSS

3.5%

top 12.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Apple MAC OS X HP System Management Homepage +3 more

Timeline

PublishedApr 24

Latest updateMay 14

Description

cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages6 packages

▶NVDhaxx/libcurl72 versions+71

▶Debianhaxx/curl< 7.42.0-1+3

▶Ubuntuhaxx/curl< 7.35.0-1ubuntu2.5

▶NVDhaxx/curl71 versions+70

▶NVDapple/mac_os_x10.9.5+5

Also affects: Debian Linux 7.0, Ubuntu Linux 12.04, 14.04, 14.10, 15.04

🔴Vulnerability Details

GHSA

GHSA-6mxf-77w3-cj5m: cURL and libcurl 7↗2022-05-14

▶

OSV

curl vulnerabilities↗2015-04-30

▶

CVEList

CVE-2015-3143: cURL and libcurl 7↗2015-04-24

▶

OSV

CVE-2015-3143: cURL and libcurl 7↗2015-04-24

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2015-04-30

▶

Red Hat

curl: re-using authenticated connection when unauthenticated↗2015-04-22

▶

Debian

CVE-2015-3143: curl - cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections...↗2015

▶

Apple

CVE-2015-3143: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [epel-7]↗2015-04-23

▶

Bugzilla

CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [fedora-all]↗2015-04-23

▶

Bugzilla

CVE-2015-3143 curl: re-using authenticated connection when unauthenticated [fedora-all]↗2015-04-22

▶

Bugzilla

CVE-2015-3143 curl: re-using authenticated connection when unauthenticated↗2015-04-20

▶