CVE-2011-2192 — MEDIUM (4.3)

Q: How severe is CVE-2011-2192?

CVE-2011-2192 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-2192?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Libcurl, Apple Mac Os X, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.

Vulnerability Description

The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Libcurl	>= 7.10.6, <= 7.21.6
Apple	Mac Os X	< 10.7.3
Fedoraproject	Fedora	14
Debian	Debian Linux	5.0
Canonical	Ubuntu Linux	8.04

Related Weaknesses (CWE)

CWE-255

References

http://curl.haxx.se/curl-gssapi-delegation.patchBroken Link
http://curl.haxx.se/docs/adv_20110623.htmlVendor Advisory
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.htmlMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.htmlMailing ListThird Party Advisory
http://secunia.com/advisories/45047Third Party Advisory
http://secunia.com/advisories/45067Third Party Advisory
http://secunia.com/advisories/45088Third Party Advisory
http://secunia.com/advisories/45144Third Party Advisory
http://secunia.com/advisories/45181Third Party Advisory
http://secunia.com/advisories/48256Third Party Advisory
http://security.gentoo.org/glsa/glsa-201203-02.xmlThird Party Advisory
http://support.apple.com/kb/HT5130Third Party Advisory
http://www.debian.org/security/2011/dsa-2271Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2011:116Third Party Advisory

FAQ

What is CVE-2011-2192?

CVE-2011-2192 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which al...

How severe is CVE-2011-2192?

CVE-2011-2192 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-2192?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Libcurl, Apple Mac Os X, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.