CVE-2011-2192

2011-07-0721:55:00

CWE-255

[email protected]

web.nvd.nist.gov

cve-2011-2192

libcurl

http_negotiate.c

credential delegation

gssapi authentication

remote servers impersonation

7.3 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

60.7%

JSON

The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.

CPENameOperatorVersion
haxx:libcurlhaxx libcurlle7.21.6
apple:mac_os_xapple mac os xlt10.7.3
fedoraproject:fedorafedoraproject fedoraeq15
fedoraproject:fedorafedoraproject fedoraeq14
debian:debian_linuxdebian debian linuxeq5.0
debian:debian_linuxdebian debian linuxeq7.0
debian:debian_linuxdebian debian linuxeq6.0
canonical:ubuntu_linuxcanonical ubuntu linuxeq10.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq11.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.04

CPE	Name	Operator	Version
haxx:libcurl	haxx libcurl	le	7.21.6
apple:mac_os_x	apple mac os x	lt	10.7.3
fedoraproject:fedora	fedoraproject fedora	eq	15
fedoraproject:fedora	fedoraproject fedora	eq	14
debian:debian_linux	debian debian linux	eq	5.0
debian:debian_linux	debian debian linux	eq	7.0
debian:debian_linux	debian debian linux	eq	6.0
canonical:ubuntu_linux	canonical ubuntu linux	eq	10.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	11.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	8.04