CVE-2015-3148
published 2015-04-24CVE-2015-3148: cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via…
PriorityP338medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
17.94%
96.8th percentile
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
Affected
168 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | os_x_yosemite_v10.10.5_and_security_update_2015-006 | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | curl | < curl 7.42.0-1 (bookworm) | curl 7.42.0-1 (bookworm) |
| debian | curl | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-28hh-42pj-vp7w: cURL and libcurl 7
ghsa_unreviewed·2022-05-14
CVE-2015-3148 [MEDIUM] CWE-284 GHSA-28hh-42pj-vp7w: cURL and libcurl 7
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
GHSA
GHSA-9v4c-xqrp-4vv9: curl, as shipped in Red Hat Enterprise Linux 6 before version 7
ghsa_unreviewed·2022-05-13·CVSS 5.0
CVE-2017-2628 [MEDIUM] CWE-287 GHSA-9v4c-xqrp-4vv9: curl, as shipped in Red Hat Enterprise Linux 6 before version 7
curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
OSV
curl vulnerabilities
osv·2015-04-30·CVSS 5.0
CVE-2015-3143 [MEDIUM] curl vulnerabilities
curl vulnerabilities
Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP
credentials when subsequently connecting to the same host over HTTP.
(CVE-2015-3143)
Hanno Böck discovered that curl incorrectly handled zero-length host names.
If a user or automated system were tricked into using a specially crafted
host name, an attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3144)
Hanno Böck discovered that curl incorrectly handled cookie path elements.
If a user or automated system were tricked into parsing a specially crafted
cookie, an attacker could possibly use this issue to cause curl to crash,
resulting in a denial of serv
OSV
CVE-2015-3148: cURL and libcurl 7
osv·2015-04-24·CVSS 5.0
CVE-2015-3148 [MEDIUM] CVE-2015-3148: cURL and libcurl 7
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
Red Hat
curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
vendor_redhat·2017-03-29·CVSS 5.0
CVE-2017-2628 [MEDIUM] CWE-287 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server.
Package: curl (Red Hat Ceph Storage 2) - Not affected
Package: curl (Red Hat Enterprise Linux 5) - Not affected
Package: curl (Red Hat Enterprise Linux 7) - Not affected
Package: mingw-vir
Debian
CVE-2017-2628: curl - curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not...
vendor_debian·2017·CVSS 5.0
CVE-2017-2628 [MEDIUM] CVE-2017-2628: curl - curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not...
curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Ubuntu
curl vulnerabilities
vendor_ubuntu·2015-04-30·CVSS 5.0
CVE-2015-3143 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP
credentials when subsequently connecting to the same host over HTTP.
(CVE-2015-3143)
Hanno Böck discovered that curl incorrectly handled zero-length host names.
If a user or automated system were tricked into using a specially crafted
host name, an attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3144)
Hanno Böck discovered that curl incorrectly handled cookie path elements.
If a user or automated system were tricked into parsing a specially crafted
cookie, an attacker could possibly use thi
Red Hat
curl: Negotiate not treated as connection-oriented
vendor_redhat·2015-04-22·CVSS 5.0
CVE-2015-3148 [MEDIUM] CWE-287 curl: Negotiate not treated as connection-oriented
curl: Negotiate not treated as connection-oriented
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
It was discovered that libcurl could incorrectly reuse Negotiate authenticated HTTP connections for subsequent requests. If an application using libcurl established a Negotiate authenticated HTTP connection to a server and sent subsequent requests with different credentials, the connection could be re-used with the initial set of credentials instead of using the new ones.
Statement: This issue affects the version of curl package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle.
Debian
CVE-2015-3148: curl - cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Nego...
vendor_debian·2015·CVSS 5.0
CVE-2015-3148 [MEDIUM] CVE-2015-3148: curl - cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Nego...
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
Scope: local
bookworm: resolved (fixed in 7.42.0-1)
bullseye: resolved (fixed in 7.42.0-1)
forky: resolved (fixed in 7.42.0-1)
sid: resolved (fixed in 7.42.0-1)
trixie: resolved (fixed in 7.42.0-1)
Apple
CVE-2015-3148: OS X Yosemite v10.10.5 and Security Update 2015-006
vendor_apple·CVSS 5.0
CVE-2015-3148 [MEDIUM] CVE-2015-3148: OS X Yosemite v10.10.5 and Security Update 2015-006
Apple Security Update: About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006
Product: OS X Yosemite v10.10.5 and Security Update 2015-006
CVE: CVE-2015-3148
Component: CVE-2015-3148
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
bugzilla·2017-02-15·CVSS 5.0
CVE-2017-2628 [MEDIUM] CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
It was found that the fix for CVE-2015-3148 did not correctly backported to curl in RHEL 6 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE.
The original issue was described as:
It was discovered that libcurl could incorrectly reuse Negotiate authenticated HTTP connections for subsequent requests. If an application using libcurl established a Negotiate authenticated HTTP connection to a server and sent subsequent requests with different credentials, the connection could be re-used with the initial set of credentials instead of using the new ones.
This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
Discussion
Bugzilla
CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [epel-7]
bugzilla·2015-04-23·CVSS 5.0
CVE-2015-3143 [MEDIUM] CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [epel-7]
CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for mingw-curl: se
Bugzilla
CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [fedora-all]
bugzilla·2015-04-23·CVSS 5.0
CVE-2015-3143 [MEDIUM] CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [fedora-all]
CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
Bugzilla
CVE-2015-3148 curl: "Negotiate" not treated as connection-oriented [fedora-all]
bugzilla·2015-04-22·CVSS 5.0
CVE-2015-3148 [MEDIUM] CVE-2015-3148 curl: "Negotiate" not treated as connection-oriented [fedora-all]
CVE-2015-3148 curl: "Negotiate" not treated as connection-oriented [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2015-3148 curl: Negotiate not treated as connection-oriented
bugzilla·2015-04-20·CVSS 5.0
CVE-2015-3148 [MEDIUM] CVE-2015-3148 curl: Negotiate not treated as connection-oriented
CVE-2015-3148 curl: Negotiate not treated as connection-oriented
libcurl keeps a pool of its last few connections around after use to
fascilitate easy, conventient and completely transparent connection re-use for
applications.
When doing HTTP requests Negotiate authenticated, the entire connnection may
become authenticated and not just the specific HTTP request which is otherwise
how HTTP works, as Negotiate can basically use NTLM under the hood. curl was
not adhering to this fact but would assume that such requests would also be
authenticated per request.
The net effect is that libcurl may end up re-using an authenticated Negotiate
connection and sending subsequent requests on it using new credentials, while
the connection remains authenticated with a previous initial credentials
setup
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
arxiv_fulltext·2022-12-29
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
## Abstract
Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement , which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on , we present the first l
http://advisories.mageia.org/MGASA-2015-0179.htmlhttp://curl.haxx.se/docs/adv_20150422B.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155957.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/156250.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157017.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00057.htmlhttp://marc.info/?l=bugtraq&m=145612005512270&w=2http://rhn.redhat.com/errata/RHSA-2015-1254.htmlhttp://www.debian.org/security/2015/dsa-3232http://www.mandriva.com/security/advisories?name=MDVSA-2015:219http://www.mandriva.com/security/advisories?name=MDVSA-2015:220http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.securityfocus.com/bid/74301http://www.securitytracker.com/id/1032232http://www.ubuntu.com/usn/USN-2591-1https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763https://security.gentoo.org/glsa/201509-02https://support.apple.com/kb/HT205031http://advisories.mageia.org/MGASA-2015-0179.htmlhttp://curl.haxx.se/docs/adv_20150422B.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155957.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/156250.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157017.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00057.htmlhttp://marc.info/?l=bugtraq&m=145612005512270&w=2http://rhn.redhat.com/errata/RHSA-2015-1254.htmlhttp://www.debian.org/security/2015/dsa-3232http://www.mandriva.com/security/advisories?name=MDVSA-2015:219http://www.mandriva.com/security/advisories?name=MDVSA-2015:220http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.securityfocus.com/bid/74301http://www.securitytracker.com/id/1032232http://www.ubuntu.com/usn/USN-2591-1https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763https://security.gentoo.org/glsa/201509-02https://support.apple.com/kb/HT205031
2015-04-24
Published