Credentials Management Affecting curl package, versions <7.21.6-2
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
0.23% (60th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-CURL-521791
- published 7 Jul 2011
- disclosed 7 Jul 2011
Introduced: 7 Jul 2011
CVE-2011-2192 Open this link in a new tabHow to fix?
Upgrade Debian:11 curl to version 7.21.6-2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian:11.
See How to fix? for Debian:11 relevant fixed versions and status.
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
References
- ADVISORY
- Apple Security Advisory
- Apple Security Announcement
- Debian Security Advisory
- Fedora Security Announcement
- Fedora Security Announcement
- Gentoo Security Advisory
- http://curl.haxx.se/curl-gssapi-delegation.patch
- http://curl.haxx.se/docs/adv_20110623.html
- RedHat Bugzilla Bug
- Secunia Advisory
- Secunia Advisory
- Secunia Advisory
- Secunia Advisory
- Secunia Advisory
- Secunia Advisory
- Security Tracker
- Ubuntu Security Advisory