vulnerability
Oracle Linux: CVE-2023-27536: ELSA-2023-4523: curl security update (MODERATE) (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:C/I:N/A:N) | Mar 20, 2023 | Aug 10, 2023 | Dec 3, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:C/I:N/A:N)
Published
Mar 20, 2023
Added
Aug 10, 2023
Modified
Dec 3, 2025
Description
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, the GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.
A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, the GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.
Solutions
oracle-linux-upgrade-curloracle-linux-upgrade-curl-minimaloracle-linux-upgrade-libcurloracle-linux-upgrade-libcurl-develoracle-linux-upgrade-libcurl-minimal
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.