libcurl might reuse OAUTH2-authenticated connections without properly making
sure that the connection was authenticated with the same credentials as set
for this transfer. This affects SASL-enabled protcols: SMTP(S), IMAP(S),
POP3(S) and LDAP(S) (openldap only).
libcurl maintains a pool of connections after a transfer has completed. The
pool of connections is then gone through when a new transfer is requested and
if thereโs a live connection available that can be reused, it is preferred
instead of creating a new one.
A connection that is successfully created and authenticated with a user name +
OAUTH2 bearer could subsequently be reused even for user + [other OAUTH2
bearer], even though that might not even be a valid bearer. This could lead to
an authenticion bypass, either by mistake or by a malicious actor.
The problem can be demontrated using an imap server supporting OAUTH2 authentication using command:
curl 'imap://server:port/path/;MAILINDEX=1' --login-options 'AUTH=OAUTHBEARER' -u user: --oauth2-bearer validbearer --next 'imap://server:port/path/;MAILINDEX=1' --login-options 'AUTH=OAUTHBEARER' -u user: --oauth2-bearer anything
Note:
This vulnerability has been assigned CWE-305 โAuthentication Bypass by Primary Weaknessโ that is not selectable on the current IBB form.
Unauthorized access.