CVE-2011-2192

Summary

The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.

Impact & exploitability

AV:N/AC:M/Au:N/C:P/I:N/A:N

Affected products we track (1)

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

• NVD record
• http://curl.haxx.se/docs/adv_20110623.htmlAdvisory
• http://curl.haxx.se/curl-gssapi-delegation.patch
• http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlAdvisory
• http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.htmlAdvisory
• http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.htmlAdvisory
• http://secunia.com/advisories/45047Advisory
• http://secunia.com/advisories/45067Advisory
• http://secunia.com/advisories/45088Advisory