Debian 10 Buster: DLA-3398-1 Critical: Curl Input Validation Bypass
debian lts
April 21, 2023
CVE-2023-27533 A vulnerability in input validation exists in curl during communication using the TELNET protocol may allow an attacker to pass on
Topics Covered
Summary
CVE-2023-27535
An authentication bypass vulnerability exists in libcurl in the FTP
connection reuse feature that can result in wrong credentials being used
during subsequent transfers. Previously created connections are kept in a
connection pool for reuse if they match the current setup. However, certain
FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER,
CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the
configuration match checks, causing them to match too easily. This could
lead to libcurl using the wrong credentials when performing a transfer,
potentially allowing unauthorized access to sensitive information.
CVE-2023-27536
An authentication bypass vulnerability exists in libcurl in the
connection reuse feature which can reuse previously established connections
with incorrect user permissions due to a failure to check for changes in
the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
-------------------------------------------------------------------------Package: curl
Version: 7.64.0-4+deb10u6
CVE ID: CVE-2023-27533 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!