CVE-2011-2192
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
61.2%
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
Affected configurations
References
curl.haxx.se/curl-gssapi-delegation.patch
curl.haxx.se/docs/adv_20110623.html
lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.html
lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.html
secunia.com/advisories/45047
secunia.com/advisories/45067
secunia.com/advisories/45088
secunia.com/advisories/45144
secunia.com/advisories/45181
secunia.com/advisories/48256
security.gentoo.org/glsa/glsa-201203-02.xml
support.apple.com/kb/HT5130
www.debian.org/security/2011/dsa-2271
www.mandriva.com/security/advisories?name=MDVSA-2011:116
www.redhat.com/support/errata/RHSA-2011-0918.html
www.securitytracker.com/id?1025713
www.ubuntu.com/usn/USN-1158-1
bugzilla.redhat.com/show_bug.cgi?id=711454
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
61.2%