CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
62.4%
libcurl would reuse a previously created FTP connection even when one or more
options had been changed that could have made the effective user a very
different one, thus leading to doing the second transfer with the wrong
credentials.
libcurl keeps previously used connections in a connection pool for subsequent
transfers to reuse if one of them matches the setup. However, several FTP
settings were left out from the configuration match checks, making them match
too easily. The settings in questions are CURLOPT_FTP_ACCOUNT
,
CURLOPT_FTP_ALTERNATIVE_TO_USER
, CURLOPT_FTP_SSL_CCC
and CURLOPT_USE_SSL
level.
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
62.4%