A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level.

References

bugzilla.redhat.com/show_bug.cgi?id=2179073

curl.se/docs/CVE-2023-27535.html

nvd.nist.gov/vuln/detail/CVE-2023-27535

www.cve.org/CVERecord?id=CVE-2023-27535

osv 8

nessus 55

debiancve 1

hackerone 2

cbl_mariner 5

alpinelinux 1

redhat 40

veracode 1

almalinux 2

oraclelinux 2

cve 1

rocky 1

ubuntucve 1

prion 1

ibm 17

cvelist 1

nvd 1

openvas 27

cloudfoundry 2

cloudlinux 1

amazon 2

ubuntu 2

debian 1

redos 1

rosalinux 1

fedora 3

slackware 1

freebsd 1

photon 4

aix 1

mageia 1

gentoo 1

ics 3

tenable 1

osv

Moderate: curl security and bug fix update

2023-05-18 19:18:14

Moderate: curl security and bug fix update

2023-05-16 00:00:00

CVE-2023-27535

2023-03-30 20:15:07

nessus

RHEL 8 : curl (RHSA-2023:3106)

2023-05-17 00:00:00

AlmaLinux 8 : curl (ALSA-2023:3106)

2023-05-19 00:00:00

CentOS 8 : curl (CESA-2023:3106)

2024-02-08 00:00:00

debiancve

CVE-2023-27535

2023-03-30 20:15:07

hackerone

curl: CVE-2023-27535: FTP too eager connection reuse

2023-03-05 21:25:18

Internet Bug Bounty: CVE-2023-27535: FTP too eager connection reuse

2023-03-20 07:38:58

cbl_mariner

CVE-2023-27535 affecting package rust for versions less than 1.72.0-2

2023-10-11 01:41:59

CVE-2023-27535 affecting package tensorflow for versions less than 2.16.1-1

2024-04-17 22:02:46

CVE-2023-27535 affecting package curl for versions less than 8.0.1-1

2023-04-16 00:48:11

alpinelinux

CVE-2023-27535

2023-03-30 20:15:07

redhat

(RHSA-2023:3106) Moderate: curl security and bug fix update

2023-05-16 09:15:27

(RHSA-2023:2650) Moderate: curl security update

2023-05-09 10:14:37

(RHSA-2023:3342) Moderate: OpenShift Container Platform 4.13.4 CNF vRAN extras security update

2023-06-21 16:52:33

veracode

Authentication Bypass

2023-03-21 00:27:47

almalinux

Moderate: curl security update

2023-05-09 00:00:00

Moderate: curl security and bug fix update

2023-05-16 00:00:00

oraclelinux

curl security update

2023-05-17 00:00:00

curl security and bug fix update

2023-05-25 00:00:00

cve

CVE-2023-27535

2023-03-30 20:15:07

rocky

curl security and bug fix update

2023-05-18 19:18:14

ubuntucve

CVE-2023-27535

2023-03-20 00:00:00

prion

Authentication flaw

2023-03-30 20:15:00

ibm

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Authentication in the RHEL UBI (CVE-2023-27535)

2024-01-19 22:05:22

Security Bulletin: IBM Event Streams is affected by libcurl vulnerability

2023-10-11 11:43:11

Security Bulletin: IBM MQ is affected by vulnerabilities in libcURL (CVE-2023-23916, CVE-2023-27535)

2023-06-22 17:22:44

cvelist

CVE-2023-27535

2023-03-30 00:00:00

nvd

CVE-2023-27535

2023-03-30 20:15:07

openvas

Ubuntu: Security Advisory (USN-5964-2)

2023-03-28 00:00:00

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2023-2510)

2023-08-01 00:00:00

Debian: Security Advisory (DLA-3398-1)

2023-04-24 00:00:00

cloudfoundry

USN-5964-2: curl vulnerabilities | Cloud Foundry

2023-04-24 00:00:00

USN-5964-1: curl vulnerabilities | Cloud Foundry

2023-04-29 00:00:00

cloudlinux

curl: Fix of 3 CVEs

2023-04-14 16:45:12

amazon

Medium: curl

2023-04-13 19:01:00

Medium: curl

2023-06-05 16:39:00

ubuntu

curl vulnerabilities

2023-03-27 00:00:00

curl vulnerabilities

2023-03-20 00:00:00

debian

[SECURITY] [DLA 3398-1] curl security update

2023-04-21 20:04:44

redos

ROS-20230407-01

2023-04-07 00:00:00

rosalinux

Advisory ROSA-SA-2023-2221

2023-08-22 13:21:47

fedora

[SECURITY] Fedora 38 Update: curl-7.87.0-7.fc38

2023-03-29 00:19:18

[SECURITY] Fedora 37 Update: curl-7.85.0-8.fc37

2023-03-27 02:01:30

[SECURITY] Fedora 36 Update: curl-7.82.0-14.fc36

2023-04-09 01:41:25

slackware

[slackware-security] curl

2023-03-20 19:35:43

freebsd

curl -- multiple vulnerabilities

2023-03-20 00:00:00

photon

Important Photon OS Security Update - PHSA-2023-4.0-0371

2023-04-06 00:00:00

Important Photon OS Security Update - PHSA-2023-3.0-0564

2023-04-06 00:00:00

Critical Photon OS Security Update - PHSA-2023-3.0-0603

2023-06-26 00:00:00

aix

Multiple vulnerabilities cURL libcurl affect AIX

2023-06-29 09:35:59

mageia

Updated curl packages fix security vulnerability

2023-09-25 01:16:18

gentoo

curl: Multiple Vulnerabilities

2023-10-11 00:00:00

ics

Siemens SINEC NMS

2024-02-15 12:00:00

Siemens SCALANCE XCM-/XRM-300

2024-02-15 12:00:00

Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1

2023-12-14 12:00:00

tenable

[R1] Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities

2023-06-29 10:45:47

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

62.4%

JSON

Related for RH:CVE-2023-27535