CVE-2011-2192

Name of the Vulnerable Software and Affected Versions curl versions 7.10.6 through 7.21.6 curl versions prior to 7.24.0

Description The issue concerns multiple vulnerabilities in the curl package, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. Specifically, the Curl input negotiate function in libcurl always performs credential delegation during GSSAPI authentication, allowing remote servers to impersonate clients via GSSAPI requests. This operation is sensitive and should only be performed when explicitly directed by the user. The GSS/Negotiate feature is used by libcurl for HTTP authentication if enabled and if libcurl was built with a library that provides the GSSAPI.

Recommendations For curl versions 7.10.6 through 7.21.6, consider disabling the GSSAPI authentication mechanism until a patch is available. For curl versions prior to 7.24.0, update to a version 7.24.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Curl input negotiate function to minimize the risk of exploitation.