CVE-2015-3148Improper Access Control in HAT INC Curl

CWE-284Improper Access ControlCWE-287Improper Authentication13 documents9 sources
Severity
5.0MEDIUMNVD
EPSS
1.7%
top 17.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Haxx CurlHP System Management HomepageRED HAT INC Curl+6 more
Timeline
PublishedApr 24
Latest updateMay 14

Description

cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages7 packages

NVDhaxx/libcurl72 versions+71
Debianhaxx/curl< 7.42.0-1+3
NVDhaxx/curl72 versions+71
CVEListV5red_hat_inc/curl7.19.7-53

Also affects: Debian Linux 7.0, Fedora 21, 22, Ubuntu Linux 12.04, 14.04, 14.10, 15.04

🔴Vulnerability Details

3
GHSA
GHSA-28hh-42pj-vp7w: cURL and libcurl 72022-05-14
OSV
CVE-2015-3148: cURL and libcurl 72015-04-24
CVEList
CVE-2015-3148: cURL and libcurl 72015-04-24

📋Vendor Advisories

4
Ubuntu
curl vulnerabilities2015-04-30
Red Hat
curl: Negotiate not treated as connection-oriented2015-04-22
Debian
CVE-2015-3148: curl - cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Nego...2015
Apple
CVE-2015-3148: OS X Yosemite v10.10.5 and Security Update 2015-006

💬Community

5
Bugzilla
CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)2017-02-15
Bugzilla
CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [epel-7]2015-04-23
Bugzilla
CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [fedora-all]2015-04-23
Bugzilla
CVE-2015-3148 curl: "Negotiate" not treated as connection-oriented [fedora-all]2015-04-22
Bugzilla
CVE-2015-3148 curl: Negotiate not treated as connection-oriented2015-04-20