发布于3月6日3月6日 Members Oracle Linux: CVE-2023-27536: ELSA-2023-6679:curl security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:C/I:N/A:N) Published 03/20/2023 Created 08/11/2023 Added 08/10/2023 Modified 12/01/2024 Description An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, the GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers. Solution(s) oracle-linux-upgrade-curl oracle-linux-upgrade-curl-minimal oracle-linux-upgrade-libcurl oracle-linux-upgrade-libcurl-devel oracle-linux-upgrade-libcurl-minimal References https://attackerkb.com/topics/cve-2023-27536 CVE - 2023-27536 ELSA-2023-6679 ELSA-2023-4523
