Credentials Management Affecting curl package, versions <7.21.6-2
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
0.23% (61st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-CURL-358979
- published 7 Jul 2011
- disclosed 7 Jul 2011
Introduced: 7 Jul 2011
CVE-2011-2192 Open this link in a new tabHow to fix?
Upgrade Debian:10 curl to version 7.21.6-2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
References
- https://security-tracker.debian.org/tracker/CVE-2011-2192
- http://support.apple.com/kb/HT5130
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://www.debian.org/security/2011/dsa-2271
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.html
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://curl.haxx.se/curl-gssapi-delegation.patch
- http://curl.haxx.se/docs/adv_20110623.html
- https://bugzilla.redhat.com/show_bug.cgi?id=711454
- http://secunia.com/advisories/45047
- http://secunia.com/advisories/45067
- http://secunia.com/advisories/45088
- http://secunia.com/advisories/45144
- http://secunia.com/advisories/45181
- http://secunia.com/advisories/48256
- http://www.securitytracker.com/id?1025713
- http://www.ubuntu.com/usn/USN-1158-1
- http://www.redhat.com/support/errata/RHSA-2011-0918.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:116