An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
References
Link | Resource |
---|---|
https://hackerone.com/reports/1895135 | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/ | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202310-12 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230420-0010/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
|
Configuration 10 (hide)
|
History
27 Mar 2024, 14:46
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* |
|
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/ - Mailing List, Third Party Advisory | |
First Time |
Splunk
Splunk universal Forwarder |
07 Nov 2023, 04:09
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
20 Oct 2023, 18:44
Type | Values Removed | Values Added |
---|---|---|
References | (GENTOO) https://security.gentoo.org/glsa/202310-12 - Third Party Advisory |
11 Oct 2023, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Jun 2023, 20:34
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
31 May 2023, 17:58
Type | Values Removed | Values Added |
---|---|---|
First Time |
Netapp h700s Firmware
Debian Netapp active Iq Unified Manager Netapp h410s Firmware Netapp h700s Netapp h500s Firmware Netapp h300s Debian debian Linux Netapp h300s Firmware Netapp Netapp ontap Netapp h500s Netapp h410s |
|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20230420-0010/ - Third Party Advisory | |
CPE | cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:* cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
21 Apr 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2023, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Apr 2023, 14:02
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* |
|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/ - Mailing List, Third Party Advisory | |
References | (MISC) https://hackerone.com/reports/1895135 - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CWE | CWE-287 | |
First Time |
Fedoraproject
Fedoraproject fedora Haxx libcurl Haxx |
09 Apr 2023, 04:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Mar 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-03-30 20:15
Updated : 2024-03-27 14:46
NVD link : CVE-2023-27536
Mitre link : CVE-2023-27536
CVE.ORG link : CVE-2023-27536
JSON object : View
Products Affected
netapp
- h500s
- h700s_firmware
- h410s
- h500s_firmware
- h300s
- h700s
- h300s_firmware
- ontap
- active_iq_unified_manager
- h410s_firmware
splunk
- universal_forwarder
haxx
- libcurl
debian
- debian_linux
fedoraproject
- fedora