CVE-2011-2192
UnknownEPSS 2.99%
Last modified
CVE-2011-2192 is a vulnerability of currently unknown severity. The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.. EPSS estimates a 2.99% chance of exploitation in the next 30 days.
Description
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Libcurl | >= 7.10.6, <= 7.21.6 |
| Apple | Mac Os X | < 10.7.3 |
| Fedoraproject | Fedora | 14 |
| Fedoraproject | Fedora | 15 |
| Debian | Debian Linux | 5.0 |
| Debian | Debian Linux | 6.0 |
| Debian | Debian Linux | 7.0 |
| Canonical | Ubuntu Linux | 8.04 |
| Canonical | Ubuntu Linux | 10.04 |
| Canonical | Ubuntu Linux | 10.10 |
| Canonical | Ubuntu Linux | 11.04 |
References
- http://curl.haxx.se/docs/adv_20110623.htmlVendor Advisory
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.htmlMailing List, Third Party Advisory
- http://secunia.com/advisories/45047Third Party Advisory
- http://secunia.com/advisories/45067Third Party Advisory
- http://secunia.com/advisories/45088Third Party Advisory
- http://secunia.com/advisories/45144Third Party Advisory
- http://secunia.com/advisories/45181Third Party Advisory
- http://secunia.com/advisories/48256Third Party Advisory
- http://security.gentoo.org/glsa/glsa-201203-02.xmlThird Party Advisory
- http://support.apple.com/kb/HT5130Third Party Advisory
- http://www.debian.org/security/2011/dsa-2271Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:116Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0918.htmlThird Party Advisory
- http://www.securitytracker.com/id?1025713Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-1158-1Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=711454Issue Tracking, Third Party Advisory
- http://curl.haxx.se/docs/adv_20110623.htmlVendor Advisory
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.htmlMailing List, Third Party Advisory
- http://secunia.com/advisories/45047Third Party Advisory
- http://secunia.com/advisories/45067Third Party Advisory
- http://secunia.com/advisories/45088Third Party Advisory
- http://secunia.com/advisories/45144Third Party Advisory
- http://secunia.com/advisories/45181Third Party Advisory
- http://secunia.com/advisories/48256Third Party Advisory
- http://security.gentoo.org/glsa/glsa-201203-02.xmlThird Party Advisory
- http://support.apple.com/kb/HT5130Third Party Advisory
- http://www.debian.org/security/2011/dsa-2271Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:116Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0918.htmlThird Party Advisory
- http://www.securitytracker.com/id?1025713Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-1158-1Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=711454Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2011-2192?
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
How severe is CVE-2011-2192?
Severity scoring for CVE-2011-2192 is pending analysis. The EPSS model estimates a 2.99% probability of exploitation in the next 30 days.
How do I fix CVE-2011-2192?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2011-2192?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST