ID CVE-2011-2192
Summary The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
References
Vulnerable Configurations
  • cpe:2.3:a:curl:curl:*:*:*:*:*:*:*:*
    cpe:2.3:a:curl:curl:*:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.10.6:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.10.6:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.10.7:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.10.7:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.10.8:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.10.8:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.12:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.12:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.12.2:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.12.2:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.12.3:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.12.3:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.13:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.13:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.13.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.13.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.13.2:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.14:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.14:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.14.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.15:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.15:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.15.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.15.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.15.2:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.15.3:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.15.3:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.16.3:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.16.3:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.17.0:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.17.0:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.17.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.17.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.18.0:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.18.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.18.2:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.19.0:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.19.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.19.2:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.19.3:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.19.3:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.19.4:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.19.4:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.19.5:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.19.5:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.19.6:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.19.6:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.19.7:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.19.7:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.20.0:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.20.0:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.20.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.21.1:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.21.1:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.21.2:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.21.2:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.21.3:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.21.3:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.21.4:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.21.4:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.21.5:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.21.5:*:*:*:*:*:*:*
  • cpe:2.3:a:curl:libcurl:7.21.6:*:*:*:*:*:*:*
    cpe:2.3:a:curl:libcurl:7.21.6:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 05-01-2018 - 02:29)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
redhat via4
advisories
bugzilla
id 711454
title CVE-2011-2192 curl: Improper delegation of client credentials during GSS negotiation
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment curl is earlier than 0:7.12.1-17.el4
          oval oval:com.redhat.rhsa:tst:20110918002
        • comment curl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090341003
      • AND
        • comment curl-devel is earlier than 0:7.12.1-17.el4
          oval oval:com.redhat.rhsa:tst:20110918004
        • comment curl-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090341005
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment curl is earlier than 0:7.15.5-9.el5_6.3
          oval oval:com.redhat.rhsa:tst:20110918007
        • comment curl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090341011
      • AND
        • comment curl-devel is earlier than 0:7.15.5-9.el5_6.3
          oval oval:com.redhat.rhsa:tst:20110918009
        • comment curl-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090341013
  • AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment curl is earlier than 0:7.19.7-26.el6_1.1
          oval oval:com.redhat.rhsa:tst:20110918015
        • comment curl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110918016
      • AND
        • comment libcurl is earlier than 0:7.19.7-26.el6_1.1
          oval oval:com.redhat.rhsa:tst:20110918019
        • comment libcurl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110918020
      • AND
        • comment libcurl-devel is earlier than 0:7.19.7-26.el6_1.1
          oval oval:com.redhat.rhsa:tst:20110918017
        • comment libcurl-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110918018
rhsa
id RHSA-2011:0918
released 2011-07-05
severity Moderate
title RHSA-2011:0918: curl security update (Moderate)
rpms
  • curl-0:7.12.1-17.el4
  • curl-devel-0:7.12.1-17.el4
  • curl-0:7.15.5-9.el5_6.3
  • curl-devel-0:7.15.5-9.el5_6.3
  • curl-0:7.19.7-26.el6_1.1
  • libcurl-0:7.19.7-26.el6_1.1
  • libcurl-devel-0:7.19.7-26.el6_1.1
refmap via4
apple APPLE-SA-2012-02-01-1
confirm
debian DSA-2271
fedora
  • FEDORA-2011-8586
  • FEDORA-2011-8640
gentoo GLSA-201203-02
mandriva MDVSA-2011:116
sectrack 1025713
secunia
  • 45047
  • 45067
  • 45088
  • 45144
  • 45181
  • 48256
ubuntu USN-1158-1
Last major update 05-01-2018 - 02:29
Published 07-07-2011 - 21:55
Back to Top