CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38546 – curl: cookie injection with none file
https://notcve.org/view.php?id=CVE-2023-38546
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course. Esta falla permite a un atacante insertar cookies a voluntad en un programa en ejecución usando libcurl, si se cumple una serie específica de condiciones. libcurl realiza transferencias. • http://seclists.org/fulldisclosure/2024/Jan/34 http://seclists.org/fulldisclosure/2024/Jan/37 http://seclists.org/fulldisclosure/2024/Jan/38 https://curl.se/docs/CVE-2023-38546.html https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ https://support.apple.com/kb/HT214036 https://support.apple.com/kb/HT214057 https://support.apple.com/kb/HT214058 https://sup • CWE-73: External Control of File Name or Path •
CVSS: 5.9EPSS: 0%CPEs: 16EXPL: 1CVE-2023-27535 – curl: FTP too eager connection reuse
https://notcve.org/view.php?id=CVE-2023-27535
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. A flaw was found in the Curl package. • https://hackerone.com/reports/1892780 https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0010 https://access.redhat.com/security/cve/CVE-2023-27535 https://bugzilla.redhat.com/show_bug.cgi?id=2179073 • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 5.9EPSS: 0%CPEs: 16EXPL: 1CVE-2023-27536 – curl: GSS delegation too eager connection re-use
https://notcve.org/view.php?id=CVE-2023-27536
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. • https://hackerone.com/reports/1895135 https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0010 https://access.redhat.com/security/cve/CVE-2023-27536 https://bugzilla.redhat.com/show_bug.cgi?id=2179092 • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 5.5EPSS: 0%CPEs: 17EXPL: 1CVE-2023-27538 – curl: SSH connection too eager reuse still
https://notcve.org/view.php?id=CVE-2023-27538
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. • https://hackerone.com/reports/1898475 https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0010 https://access.redhat.com/security/cve/CVE-2023-27538 https://bugzilla.redhat.com/show_bug.cgi?id=2179103 • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 4.3EPSS: 0%CPEs: 60EXPL: 1CVE-2021-22924 – curl: Bad connection reuse due to flawed path name checks
https://notcve.org/view.php?id=CVE-2021-22924
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. libcurl mantiene las conexiones usadas previamente en un pool de conexiones para reusarlas en posteriores transferencias, si una de ellas coincide con la configuración. Debido a errores en la lógica, la función de coincidencia de la configuración no tenía en cuenta "issuercert" y comparaba las rutas implicadas *sin tener en cuenta el caso*, que podía conllevar a que libcurl reusara conexiones erróneas. Las rutas de los archivos son, o pueden ser, casos confidenciales en muchos sistemas, pero no en todos, y pueden incluso variar dependiendo de los sistemas de archivos usados. La comparación tampoco incluía el "issuercert" que una transferencia puede ajustar para calificar cómo verificar el certificado del servidor A flaw was found in libcurl in the way libcurl handles previously used connections without accounting for 'issuer cert' and comparing the involved paths case-insensitively. This flaw allows libcurl to use the wrong connection. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf https://hackerone.com/reports/1223565 https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0c • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation CWE-706: Use of Incorrectly-Resolved Name or Reference •