CVE-2017-2628Improper Authentication in HAT INC Curl

CWE-287Improper Authentication6 documents6 sources
Severity
9.8CRITICALNVD
CNA5.0
EPSS
0.8%
top 25.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
RED HAT INC CurlHaxx Curl
Timeline
PublishedMar 12
Latest updateMay 13

Description

curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDhaxx/curl7.19.7
CVEListV5red_hat_inc/curl7.19.7-53

🔴Vulnerability Details

2
GHSA
GHSA-9v4c-xqrp-4vv9: curl, as shipped in Red Hat Enterprise Linux 6 before version 72022-05-13
CVEList
CVE-2017-2628: curl, as shipped in Red Hat Enterprise Linux 6 before version 72018-03-12

📋Vendor Advisories

2
Red Hat
curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)2017-03-29
Debian
CVE-2017-2628: curl - curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not...2017

💬Community

1
Bugzilla
CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)2017-02-15
CVE-2017-2628 — Improper Authentication in HAT INC Curl | cvebase