A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, the GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.

References

bugzilla.redhat.com/show_bug.cgi?id=2179092

curl.se/docs/CVE-2023-27536.html

nvd.nist.gov/vuln/detail/CVE-2023-27536

www.cve.org/CVERecord?id=CVE-2023-27536

cbl_mariner 5

nvd 1

nessus 50

alpinelinux 1

cvelist 1

ubuntucve 1

hackerone 2

veracode 1

osv 8

debiancve 1

cve 1

prion 1

ibm 19

redhat 39

rocky 1

almalinux 2

oraclelinux 2

cloudlinux 1

amazon 2

ubuntu 2

openvas 27

cloudfoundry 2

debian 1

redos 1

photon 4

freebsd 1

fedora 3

slackware 1

mageia 1

aix 1

gentoo 1

ics 3

tenable 1

cbl_mariner

CVE-2023-27536 affecting package rust for versions less than 1.72.0-2

2023-10-11 01:41:59

CVE-2023-27536 affecting package mysql for versions less than 8.0.34-1

2023-11-17 23:23:29

CVE-2023-27536 affecting package curl for versions less than 8.0.1-1

2023-04-16 00:48:11

nvd

CVE-2023-27536

2023-03-30 20:15:07

nessus

CBL Mariner 2.0 Security Update: curl (CVE-2023-27536)

2023-04-20 00:00:00

RHEL 8 : curl (RHSA-2023:4523)

2023-08-08 00:00:00

Oracle Linux 8 : curl (ELSA-2023-4523)

2023-08-15 00:00:00

alpinelinux

CVE-2023-27536

2023-03-30 20:15:07

cvelist

CVE-2023-27536

2023-03-30 00:00:00

ubuntucve

CVE-2023-27536

2023-03-20 00:00:00

hackerone

curl: CVE-2023-27536: GSS delegation too eager connection re-use

2023-03-07 11:00:18

Internet Bug Bounty: CVE-2023-27536: GSS delegation too eager connection re-use

2023-03-20 07:42:24

veracode

Authentication Bypass

2023-03-21 00:30:20

osv

GSS delegation too eager connection re-use

2023-03-20 08:00:00

CVE-2023-27536

2023-03-30 20:15:07

Moderate: curl security update

2023-10-06 23:10:01

debiancve

CVE-2023-27536

2023-03-30 20:15:07

cve

CVE-2023-27536

2023-03-30 20:15:07

prion

Authentication flaw

2023-03-30 20:15:00

ibm

Security Bulletin: IBM Event Streams is affected by a libcurl vulnerability

2023-10-11 11:44:46

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Authentication in the RHEL UBI (CVE-2023-27536)

2024-01-19 22:15:28

Security Bulletin: TSSC/IMC is vulnerable to aritrary code excecution due to curl (CVE-2023-27536, CVE-2023-28321)

2024-06-20 23:50:43

redhat

(RHSA-2023:4523) Moderate: curl security update

2023-08-08 07:21:00

(RHSA-2023:6679) Moderate: curl security update

2023-11-07 06:11:52

(RHSA-2024:0428) Moderate: curl security and bug fix update

2024-01-24 14:40:32

rocky

curl security update

2023-10-06 23:10:01

almalinux

Moderate: curl security update

2023-08-08 00:00:00

Moderate: curl security update

2023-11-07 00:00:00

oraclelinux

curl security update

2023-08-10 00:00:00

curl security update

2023-11-11 00:00:00

cloudlinux

curl: Fix of 3 CVEs

2023-04-14 16:45:12

amazon

Medium: curl

2023-04-13 19:01:00

Medium: curl

2023-06-05 16:39:00

ubuntu

curl vulnerabilities

2023-03-27 00:00:00

curl vulnerabilities

2023-03-20 00:00:00

openvas

Ubuntu: Security Advisory (USN-5964-2)

2023-03-28 00:00:00

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2023-3395)

2023-12-14 00:00:00

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2023-2328)

2023-07-10 00:00:00

cloudfoundry

USN-5964-2: curl vulnerabilities | Cloud Foundry

2023-04-24 00:00:00

USN-5964-1: curl vulnerabilities | Cloud Foundry

2023-04-29 00:00:00

debian

[SECURITY] [DLA 3398-1] curl security update

2023-04-21 20:04:44

redos

ROS-20230407-01

2023-04-07 00:00:00

photon

Important Photon OS Security Update - PHSA-2023-4.0-0371

2023-04-06 00:00:00

Important Photon OS Security Update - PHSA-2023-3.0-0564

2023-04-06 00:00:00

Critical Photon OS Security Update - PHSA-2023-3.0-0603

2023-06-26 00:00:00

freebsd

curl -- multiple vulnerabilities

2023-03-20 00:00:00

fedora

[SECURITY] Fedora 38 Update: curl-7.87.0-7.fc38

2023-03-29 00:19:18

[SECURITY] Fedora 36 Update: curl-7.82.0-14.fc36

2023-04-09 01:41:25

[SECURITY] Fedora 37 Update: curl-7.85.0-8.fc37

2023-03-27 02:01:30

slackware

[slackware-security] curl

2023-03-20 19:35:43

mageia

Updated curl packages fix security vulnerability

2023-09-25 01:16:18

aix

Multiple vulnerabilities cURL libcurl affect AIX

2023-06-29 09:35:59

gentoo

curl: Multiple Vulnerabilities

2023-10-11 00:00:00

ics

Siemens SINEC NMS

2024-02-15 12:00:00

Siemens SCALANCE XCM-/XRM-300

2024-02-15 12:00:00

Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1

2023-12-14 12:00:00

tenable

[R1] Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities

2023-06-29 10:45:47

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

60.2%

JSON

Related for RH:CVE-2023-27536