CVE-2023-27536: An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect…

medium5.9CVSS 3.1

AVNACHPRNUINSUCHINAN

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

Affected

34 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	curl	< curl 7.88.1-7 (bookworm)	curl 7.88.1-7 (bookworm)
debian	debian_linux	—	—
fedoraproject	fedora	—	—
haxx	curl	>= 0 < 7.74.0-1.3+deb11u8	7.74.0-1.3+deb11u8
haxx	curl	>= 0 < 7.88.1-7	7.88.1-7
haxx	curl	>= 0 < 7.88.1-7	7.88.1-7
haxx	curl	>= 0 < 7.88.1-7	7.88.1-7
haxx	curl	>= 0 < 7.58.0-2ubuntu3.24	7.58.0-2ubuntu3.24
haxx	curl	>= 0 < 7.68.0-1ubuntu2.18	7.68.0-1ubuntu2.18
haxx	curl	>= 0 < 7.81.0-1ubuntu1.10	7.81.0-1ubuntu1.10
haxx	curl	>= 0 < 7.35.0-1ubuntu2.20+esm15	7.35.0-1ubuntu2.20+esm15
haxx	curl	>= 0 < 7.47.0-1ubuntu2.19+esm8	7.47.0-1ubuntu2.19+esm8
haxx	libcurl	7.22.0 – 7.88.1	—
https	github.com_curl_curl	—	—
msrc	azl3_cmake_3.21.4-10_on_azure_linux_3.0	—	—
msrc	azl3_cmake_3.28.2-1_on_azure_linux_3.0	—	—
msrc	azl3_rust_1.75.0-14_on_azure_linux_3.0	—	—
msrc	azl3_rust_1.86.0-1_on_azure_linux_3.0	—	—
msrc	azl3_tensorflow_2.11.1-1_on_azure_linux_3.0	—	—
msrc	azl3_tensorflow_2.16.1-1_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_cmake_3.21.4-13_on_cbl_mariner_2.0	—	—
msrc	cbl2_curl_8.0.1-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_mysql_8.0.34-1_on_cbl_mariner_2.0	—	—

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

osv8.8HIGH