Lucene search
K

EulerOS 2.0 SP12 : curl (EulerOS-SA-2026-2583)

🗓️ 10 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Curl on EulerOS is vulnerable to cookie leakage, bad connection reuse, and proxy credential leakage.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: IBM WinCollect Agent is vulnerable to using components with known vulnerabilities
6 Jul 202613:49
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability impacts AIX due to cURL libcurl (CVE-2026-5545).
30 Jun 202613:43
ibm
ATTACKERKB
CVE-2026-6429
13 May 202608:28
attackerkb
ATTACKERKB
CVE-2026-5545
13 May 202608:27
attackerkb
ATTACKERKB
CVE-2026-6253
13 May 202608:28
attackerkb
ATTACKERKB
CVE-2026-5773
13 May 202608:27
attackerkb
ATTACKERKB
CVE-2026-7168
13 May 202608:29
attackerkb
ATTACKERKB
CVE-2026-4873
13 May 202608:27
attackerkb
ATTACKERKB
CVE-2026-6276
13 May 202608:28
attackerkb
AlpineLinux
CVE-2026-4873
13 May 202608:27
alpinelinux
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(326110);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/10");

  script_cve_id(
    "CVE-2026-4873",
    "CVE-2026-5545",
    "CVE-2026-5773",
    "CVE-2026-6253",
    "CVE-2026-6276",
    "CVE-2026-6429",
    "CVE-2026-7168"
  );

  script_name(english:"EulerOS 2.0 SP12 : curl (EulerOS-SA-2026-2583)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the
following vulnerabilities :

    Using libcurl, when a custom `Host:` header is first set for an HTTP request
    and a second request is subsequently done using the same *easy handle* but
    without the custom `Host:` header set, the second request would use stale
    information and pass on cookies meant for the first host in the second
    request. Leak them.(CVE-2026-6276)

    libcurl might in some circumstances reuse the wrong connection when asked to
    do an authenticated HTTP(S) request after a Negotiate-authenticated one, when
    both use the same host.

    libcurl features a pool of recent connections so that subsequent requests can
    reuse an existing connection to avoid overhead.

    When reusing a connection a range of criteria must be met. Due to a logical
    error in the code, a request that was issued by an application could
    wrongfully reuse an existing connection to the same server that was
    authenticated using different credentials.

    An application that first uses Negotiate authentication to a server with
    `user1:password1` and then does another operation to the same server asking
    for any authentication method but for `user2:password2` (while the previous
    connection is still alive) - the second request gets confused and wrongly
    reuses the same connection and sends the new request over that connection
    thinking it uses a mix of user1's and user2's credentials when it is in fact
    still using the connection authenticated for user1...(CVE-2026-5545)

    curl might erroneously pass on credentials for a first proxy to a second
    proxy.

    This can happen when the following conditions are true:

    1. curl is setup to use specific different proxies for different URL schemes
    2. the first proxy needs credentials
    3. the second proxy uses no credentials
    4. while using the first proxy (using say `http://`), curl is asked to follow
       a redirect to a URL using another scheme (say `https://`), accessed using a
       second, different, proxy(CVE-2026-6253)

    libcurl might in some circumstances reuse the wrong connection for SMB(S)
    transfers.

    libcurl features a pool of recent connections so that subsequent requests can
    reuse an existing connection to avoid overhead.

    When reusing a connection a range of criteria must be met. Due to a logical
    error in the code, a network transfer operation that was requested by an
    application could wrongfully reuse an existing SMB connection to the same
    server that was using a different 'share' than the new subsequent transfer
    should.

    This could in unlucky situations lead to the download of the wrong file or the
    upload of a file to the wrong place. When this happens, the same credentials
    are used and the server name is the same.(CVE-2026-5773)

    A vulnerability exists where a connection requiring TLS incorrectly reuses an
    existing unencrypted connection from the same connection pool. If an initial
    transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request
    to that same host bypasses the TLS requirement and instead transmit data
    unencrypted.(CVE-2026-4873)

    When asked to both use a `.netrc` file for credentials and to follow HTTP
    redirects, libcurl could leak the password used for the first host to the
    followed-to host under certain circumstances.(CVE-2026-6429)

    Successfully using libcurl to do a transfer over a specific HTTP proxy
    (`proxyA`) with **Digest** authentication and then changing the proxy host to
    a second one (`proxyB`) for a second transfer, reusing the same handle, makes
    libcurl wrongly pass on the `Proxy-Authorization:` header field meant for
    `proxyA`, to `proxyB`.(CVE-2026-7168)

Tenable has extracted the preceding description block directly from the EulerOS curl security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-2583
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0f06c697");
  script_set_attribute(attribute:"solution", value:
"Update the affected curl packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-5773");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:curl-help");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libcurl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libcurl-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(12)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "curl-7.79.1-14.h41.eulerosv2r12",
  "curl-help-7.79.1-14.h41.eulerosv2r12",
  "libcurl-7.79.1-14.h41.eulerosv2r12",
  "libcurl-devel-7.79.1-14.h41.eulerosv2r12"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"12", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Jul 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.17.5
EPSS0.00639
SSVC
2