5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
9.2 High
AI Score
Confidence
High
0.009 Low
EPSS
Percentile
83.2%
Package : curl
Version : 7.21.0-2.1+squeeze12
CVE ID : CVE-2015-3143 CVE-2015-3148
Several vulnerabilities were discovered in cURL, an URL transfer library:
CVE-2015-3143
NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent
over the connection authenticated as a different user. This is
similar to the issue fixed in DSA-2849-1.
CVE-2015-3148
When doing HTTP requests using the Negotiate authentication method
along with NTLM, the connection used would not be marked as
authenticated, making it possible to reuse it and send requests for
one user over the connection authenticated as a different user.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 7 | kfreebsd-amd64 | curl | < 7.26.0-1+wheezy13 | curl_7.26.0-1+wheezy13_kfreebsd-amd64.deb |
Debian | 7 | armhf | libcurl3-gnutls | < 7.26.0-1+wheezy13 | libcurl3-gnutls_7.26.0-1+wheezy13_armhf.deb |
Debian | 7 | powerpc | libcurl4-openssl-dev | < 7.26.0-1+wheezy13 | libcurl4-openssl-dev_7.26.0-1+wheezy13_powerpc.deb |
Debian | 7 | mips | libcurl4-openssl-dev | < 7.26.0-1+wheezy13 | libcurl4-openssl-dev_7.26.0-1+wheezy13_mips.deb |
Debian | 8 | mipsel | libcurl3-dbg | < 7.38.0-4+deb8u1 | libcurl3-dbg_7.38.0-4+deb8u1_mipsel.deb |
Debian | 8 | kfreebsd-i386 | curl | < 7.38.0-4+deb8u1 | curl_7.38.0-4+deb8u1_kfreebsd-i386.deb |
Debian | 8 | amd64 | libcurl3-dbg | < 7.38.0-4+deb8u1 | libcurl3-dbg_7.38.0-4+deb8u1_amd64.deb |
Debian | 7 | ia64 | libcurl3-gnutls | < 7.26.0-1+wheezy13 | libcurl3-gnutls_7.26.0-1+wheezy13_ia64.deb |
Debian | 7 | kfreebsd-i386 | libcurl3 | < 7.26.0-1+wheezy13 | libcurl3_7.26.0-1+wheezy13_kfreebsd-i386.deb |
Debian | 8 | armhf | libcurl4-openssl-dev | < 7.38.0-4+deb8u1 | libcurl4-openssl-dev_7.38.0-4+deb8u1_armhf.deb |