Описание
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
It was discovered that libcurl could incorrectly reuse Negotiate authenticated HTTP connections for subsequent requests. If an application using libcurl established a Negotiate authenticated HTTP connection to a server and sent subsequent requests with different credentials, the connection could be re-used with the initial set of credentials instead of using the new ones.
Отчет
This issue affects the version of curl package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not planned to be addressed in a future update for Red Hat Enterprise Linux 5.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 1.2 | curl | Will not fix | ||
| Red Hat Enterprise Linux 5 | curl | Will not fix | ||
| Red Hat Enterprise Virtualization 3 | mingw-virt-viewer | Fix deferred | ||
| Red Hat Enterprise Linux 6 | curl | Fixed | RHSA-2015:1254 | 20.07.2015 |
| Red Hat Enterprise Linux 7 | curl | Fixed | RHSA-2015:2159 | 19.11.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
4 Medium
CVSS2
Связанные уязвимости
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenti ...
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
EPSS
4 Medium
CVSS2