PT-2023-2344 · Libcurl+11 · Libcurl+11
Harry Sintonen
·
Published
2023-03-20
·
Updated
2026-05-18
·
CVE-2023-27536
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
libcurl versions prior to 8.0.0
Description
An authentication bypass issue exists in the connection reuse feature of libcurl, affecting krb5/kerberos/negotiate/GSSAPI transfers. This is due to a failure to check for changes in the
CURLOPT GSSAPI DELEGATION option, potentially resulting in unauthorized access to sensitive information. The issue allows previously established connections to be reused with incorrect user permissions.Recommendations
For libcurl versions prior to 8.0.0, the safest option is to not reuse connections if the
CURLOPT GSSAPI DELEGATION option has been changed. As a temporary workaround, consider disabling connection reuse until a patch is available. Restrict access to krb5/kerberos/negotiate/GSSAPI transfers to minimize the risk of exploitation. Avoid using the CURLOPT GSSAPI DELEGATION option in affected transfers until the issue is resolved.Exploit
Fix
DoS
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Ibm Aix
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Libcurl