CVE-2023-27535

medium

Published 2023-05-09 · Modified 2023-05-16

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.5

Description

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2023-27535 NameCVE-2023-27535 DescriptionAn authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT,…

CVE-2023-27535

Name	CVE-2023-27535
Description	An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3398-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
curl (PTS)	bullseye	7.74.0-1.3+deb11u13	fixed
	bullseye (security)	7.74.0-1.3+deb11u16	fixed
	bookworm	7.88.1-10+deb12u14	fixed
	bookworm (security)	7.88.1-10+deb12u5	fixed
	trixie	8.14.1-2+deb13u3	fixed
	forky	8.20.0-2	fixed
	sid	8.20.0-5	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
curl	source	buster	7.64.0-4+deb10u6	DLA-3398-1
curl	source	bullseye	7.74.0-1.3+deb11u8
curl	source	(unstable)	7.88.1-7

Notes

https://curl.se/docs/CVE-2023-27535.html
Introduced by: https://github.com/curl/curl/commit/177dbc7be07125582ddb7416dba7140b88ab9f62 (curl-7_13_0)
Fixed by: https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 (curl-8_0_0)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://curl.se/docs/CVE-2023-27535.htmlIntroduced by: https://github.com/curl/curl/commit/177dbc7be07125582ddb7416dba7140b88ab9f62 (curl-7_13_0)Fixed by: https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 (curl-8_0_0)

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`7.88.1-7`
sid	Fixed	`7.88.1-7`
forky	Fixed	`7.88.1-7`
bullseye	Fixed	`7.74.0-1.3+deb11u8`
bookworm	Fixed	`7.88.1-7`

Red Hat Fixed 2 releases

Version	Status	Fixed in
9	Fixed	—
8	Fixed	—

Rocky Linux Fixed 1 release

Version	Status	Fixed in
8	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.