CURL-CVE-2011-2192
- Source
- https://curl.se/docs/CVE-2011-2192.html
- Import Source
- https://curl.se/docs/CURL-CVE-2011-2192.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2011-2192
- Aliases
- Published
- 2011-06-23T08:00:00Z
- Modified
- 2025-11-12T00:50:45Z
- Summary
- inappropriate GSSAPI delegation
- Details
-
When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a sensitive operation, which should only be done when the user explicitly so directs.
The GSS/Negotiate feature is only used by libcurl for HTTP authentication if told to, and only if libcurl was built with a library that provides the GSSAPI. Many builds of libcurl do not have GSS enabled.
- Database specific
{ "CWE": { "id": "CWE-281", "desc": "Improper Preservation of Permissions" }, "severity": "Medium", "last_affected": "7.21.6", "affects": "both", "www": "https://curl.se/docs/CVE-2011-2192.html", "URL": "https://curl.se/docs/CVE-2011-2192.json", "package": "curl" }- References
-
- Credits
-
-
- Richard Silverman - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
- Dan Fandrich - OTHER
-
- Julien Chaffraix - OTHER
-
Affected packages
Git /
Affected versions
7.*
7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6