CVE-2023-27535
published 2023-03-30CVE-2023-27535: An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during…
PriorityP335medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
1.61%
72.8th percentile
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.88.1-7 (bookworm) | curl 7.88.1-7 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| haxx | curl | >= 0 < 7.74.0-1.3+deb11u8 | 7.74.0-1.3+deb11u8 |
| haxx | curl | >= 0 < 7.88.1-7 | 7.88.1-7 |
| haxx | curl | >= 0 < 7.88.1-7 | 7.88.1-7 |
| haxx | curl | >= 0 < 7.88.1-7 | 7.88.1-7 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.24 | 7.58.0-2ubuntu3.24 |
| haxx | curl | >= 0 < 7.68.0-1ubuntu2.18 | 7.68.0-1ubuntu2.18 |
| haxx | curl | >= 0 < 7.81.0-1ubuntu1.10 | 7.81.0-1ubuntu1.10 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.20+esm15 | 7.35.0-1ubuntu2.20+esm15 |
| haxx | curl | >= 0 < 7.47.0-1ubuntu2.19+esm8 | 7.47.0-1ubuntu2.19+esm8 |
| haxx | libcurl | 7.13.0 – 7.88.1 | — |
| https | github.com_curl_curl | — | — |
| msrc | azl3_cmake_3.21.4-10_on_azure_linux_3.0 | — | — |
| msrc | azl3_cmake_3.28.2-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.11.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_cmake_3.21.4-13_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_curl_8.0.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_mysql_8.0.34-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian5.9MEDIUM
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SINEC NMS
cisa_ics·2024-02-15
Siemens SINEC NMS
ICS Advisory
##
Siemens SINEC NMS
Release DateFebruary 15, 2024
Alert CodeICSA-24-046-15
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC NMS
- Vulnerabilities: Out-of-bounds Read, Inadequate Encryption Strength, Double Free, Use After Free, NULL Pointer Dereference, Improper Input Validation, Missing Encryption of Sensitive Data, Allocation of Resources Wit
Ubuntu
curl vulnerabilities
vendor_ubuntu·2023-03-27·CVSS 8.8
CVE-2023-27535 [HIGH] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-5964-1 fixed several vulnerabilities in curl. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Harry Sintonen discovered that curl incorrectly handled certain TELNET
connection options. Due to lack of proper input scrubbing, curl could pass
on user name and telnet options to the server as provided, contrary to
expectations. (CVE-2023-27533)
Harry Sintonen discovered that curl incorrectly reused certain FTP
connections. This could lead to the wrong credentials being reused,
contrary to expectations. (CVE-2023-27535)
Harry Sintonen discovered that curl incorrectly reused connections when the
GSS delegation option had been changed. This
Red Hat
curl: FTP too eager connection reuse
vendor_redhat·2023-03-20·CVSS 5.9
CVE-2023-27535 [MEDIUM] CWE-305 curl: FTP too eager connection reuse
curl: FTP too eager connection reuse
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subse
Ubuntu
curl vulnerabilities
vendor_ubuntu·2023-03-20·CVSS 8.8
CVE-2023-27533 [HIGH] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Harry Sintonen discovered that curl incorrectly handled certain TELNET
connection options. Due to lack of proper input scrubbing, curl could pass
on user name and telnet options to the server as provided, contrary to
expectations. (CVE-2023-27533)
Harry Sintonen discovered that curl incorrectly handled special tilde
characters when used with SFTP paths. A remote attacker could possibly use
this issue to circumvent filtering. (CVE-2023-27534)
Harry Sintonen discovered that curl incorrectly reused certain FTP
connections. This could lead to the wrong credentials being reused,
contrary to expectations. (CVE-2023-27535)
Harry Sintonen discovered that curl incorrectly reused connections when the
GSS delegation
Microsoft
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created conn
vendor_msrc·2023-03-14·CVSS 5.9
CVE-2023-27535 [MEDIUM] CWE-287 An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created conn
An authentication bypass vulnerability exists in libcurl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
hackerone: hackerone
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://le
Debian
CVE-2023-27535: curl - An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP conne...
vendor_debian·2023·CVSS 5.9
CVE-2023-27535 [MEDIUM] CVE-2023-27535: curl - An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP conne...
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Scope: local
bookworm: resolved (fixed in 7.88.1-7)
bullseye: resolved (fixed in 7.74.0-1.3+deb11u8)
forky: resolved (fixed in 7.88.1-7)
sid: resolve
OSV
CVE-2023-27535: An authentication bypass vulnerability exists in libcurl <8
osv·2023-03-30·CVSS 5.9
CVE-2023-27535 [MEDIUM] CVE-2023-27535: An authentication bypass vulnerability exists in libcurl <8
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
GHSA
GHSA-q9fm-68jc-87x3: An authentication bypass vulnerability exists in libcurl <8
ghsa_unreviewed·2023-03-30
CVE-2023-27535 [HIGH] CWE-287 GHSA-q9fm-68jc-87x3: An authentication bypass vulnerability exists in libcurl <8
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
OSV
curl vulnerabilities
osv·2023-03-27·CVSS 8.8
CVE-2023-27533 [HIGH] curl vulnerabilities
curl vulnerabilities
USN-5964-1 fixed several vulnerabilities in curl. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Harry Sintonen discovered that curl incorrectly handled certain TELNET
connection options. Due to lack of proper input scrubbing, curl could pass
on user name and telnet options to the server as provided, contrary to
expectations. (CVE-2023-27533)
Harry Sintonen discovered that curl incorrectly reused certain FTP
connections. This could lead to the wrong credentials being reused,
contrary to expectations. (CVE-2023-27535)
Harry Sintonen discovered that curl incorrectly reused connections when the
GSS delegation option had been changed. This could lead to the option being
reused, contrary to expectatio
OSV
curl vulnerabilities
osv·2023-03-20·CVSS 8.8
CVE-2023-27533 [HIGH] curl vulnerabilities
curl vulnerabilities
Harry Sintonen discovered that curl incorrectly handled certain TELNET
connection options. Due to lack of proper input scrubbing, curl could pass
on user name and telnet options to the server as provided, contrary to
expectations. (CVE-2023-27533)
Harry Sintonen discovered that curl incorrectly handled special tilde
characters when used with SFTP paths. A remote attacker could possibly use
this issue to circumvent filtering. (CVE-2023-27534)
Harry Sintonen discovered that curl incorrectly reused certain FTP
connections. This could lead to the wrong credentials being reused,
contrary to expectations. (CVE-2023-27535)
Harry Sintonen discovered that curl incorrectly reused connections when the
GSS delegation option had been changed. This could lead to the option being
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2023-27535: FTP too eager connection reuse
hackerone·2023-03-22·CVSS 5.9
CVE-2023-27535 [MEDIUM] CVE-2023-27535: FTP too eager connection reuse
CVE-2023-27535: FTP too eager connection reuse
## Summary:
libcurl FTP(S) protocol will reuse connection even if different `CURLOPT_FTP_ACCOUNT` (libcurl) or `--ftp-account` (curl) is specified for different connections and the server requests account authentication via reply code `332`. It appears that `STRING_FTP_ALTERNATIVE_TO_USER ` (libcurl) or `--ftp-alternative-to-user` (curl) is also affected and should also result in caching being refused.
## Steps To Reproduce:
1. terminal 1: `echo -e "foo\n" | nc -v -l -p 9998; echo -e "bar\n" | nc -v -l -p 9998`
2. terminal 2: `echo -ne "220 a\n331 b\n332 c\n230 d\n257 \"/\"\n229 (|||9998|)\n200 e\n213 4\n150 f\n226 g\n229 (|||9998|)\n213 4\n150 f\n226 g\n" | nc -v -l -p 9999`
3. terminal 3: `curl -v --ftp-account alice "ftp://ftp@server:999
HackerOne
CVE-2023-27535: FTP too eager connection reuse
hackerone·2023-03-20·CVSS 5.9
CVE-2023-27535 [MEDIUM] CVE-2023-27535: FTP too eager connection reuse
CVE-2023-27535: FTP too eager connection reuse
libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials.
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level.
## Hackerone report
#1892780
## Impact
Accessing content with wrong cached credentials.
CVE-2023-27535: FTP too eager connection reuse
Pro
https://hackerone.com/reports/1892780https://lists.debian.org/debian-lts-announce/2023/04/msg00025.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/https://security.gentoo.org/glsa/202310-12https://security.netapp.com/advisory/ntap-20230420-0010/https://hackerone.com/reports/1892780https://lists.debian.org/debian-lts-announce/2023/04/msg00025.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/https://security.gentoo.org/glsa/202310-12https://security.netapp.com/advisory/ntap-20230420-0010/
2023-03-30
Published