CVE-2023-27535

Name of the Vulnerable Software and Affected Versions libcurl versions prior to 8.0.0

Description An authentication bypass issue exists in the FTP connection reuse feature of libcurl. This issue can result in wrong credentials being used during subsequent transfers, potentially allowing unauthorized access to sensitive information. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT FTP ACCOUNT, CURLOPT FTP ALTERNATIVE TO USER, CURLOPT FTP SSL CCC, and CURLOPT USE SSL were not included in the configuration match checks, causing them to match too easily.

Recommendations For libcurl versions prior to 8.0.0, consider disabling the FTP connection reuse feature as a temporary workaround until a patch is available. Restrict access to sensitive information by minimizing the use of FTP connections. Avoid using the CURLOPT FTP ACCOUNT, CURLOPT FTP ALTERNATIVE TO USER, CURLOPT FTP SSL CCC, and CURLOPT USE SSL settings in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.