CURL-CVE-2015-3143

Source
https://curl.se/docs/CVE-2015-3143.html
Import Source
https://curl.se/docs/CURL-CVE-2015-3143.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2015-3143
Aliases
Published
2015-04-22T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
Re-using authenticated connection when unauthenticated
Details

libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient and completely transparent connection re-use for applications.

When doing HTTP requests NTLM authenticated, the entire connection becomes authenticated and not just the specific HTTP request which is otherwise how HTTP works. This makes NTLM special and a subject for special treatment in the code. With NTLM, once the connection is authenticated, no further authentication is necessary until the connection gets closed.

libcurl's connection re-use logic selects an existing connection for re-use when asked to do a request, and when asked to use NTLM libcurl have to pick a connection with matching credentials only.

If a connection was first setup and used for an NTLM HTTP request with a specific set of credentials, that same connection could later wrongly get re-used in a subsequent HTTP request that was made to the same host - but without having any credentials set! Since an NTLM connection was already authenticated due to how NTLM works, the subsequent request could then get sent over the wrong connection appearing as the initial user.

This problem is very similar to the previous problem known as CVE-2014-0015. The main difference this time is that the subsequent request that wrongly re-use a connection does not ask for NTLM authentication.

Database specific
{
    "CWE": {
        "id": "CWE-305",
        "desc": "Authentication Bypass by Primary Weakness"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2015-3143.json",
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2015-3143.html",
    "last_affected": "7.41.0"
}
References
Credits
    • Paras Sethia - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git /

Affected ranges

Type
SEMVER
Events
Introduced
7.10.6
Fixed
7.42.0

Affected versions

7.*

7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0