Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-27535
HistoryMar 20, 2023 - 12:00 a.m.

CVE-2023-27535

2023-03-2000:00:00
ubuntu.com
ubuntu.com
52
authentication bypass
libcurl
ftp
connection reuse
credentials
sensitive information
vulnerability
unauthorized access
configuration match checks

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

62.4%

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP
connection reuse feature that can result in wrong credentials being used
during subsequent transfers. Previously created connections are kept in a
connection pool for reuse if they match the current setup. However, certain
FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER,
CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the
configuration match checks, causing them to match too easily. This could
lead to libcurl using the wrong credentials when performing a transfer,
potentially allowing unauthorized access to sensitive information.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchcurl< 7.58.0-2ubuntu3.24UNKNOWN
ubuntu20.04noarchcurl< 7.68.0-1ubuntu2.18UNKNOWN
ubuntu22.04noarchcurl< 7.81.0-1ubuntu1.10UNKNOWN
ubuntu22.10noarchcurl< 7.85.0-1ubuntu0.5UNKNOWN
ubuntu23.04noarchcurl< 7.88.1-6ubuntu2UNKNOWN
ubuntu14.04noarchcurl< 7.35.0-1ubuntu2.20+esm15UNKNOWN
ubuntu16.04noarchcurl< 7.47.0-1ubuntu2.19+esm8UNKNOWN

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

62.4%