Credentials management in cURL - CVE-2011-2192

 

Credentials management in cURL - CVE-2011-2192

Published: July 8, 2011 / Updated: July 28, 2020


Vulnerability identifier: #VU32858
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2011-2192
CWE-ID: CWE-255
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.


How to mitigate CVE-2011-2192

Install update from vendor's website.

Sources