libcurl reuses NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer.
libcurl maintains a pool of connections after a transfer has completed. The pool of connections is then gone through when a new transfer is requested and if there is a live connection available that can be reused, it is preferred instead of creating a new one.
Since NTLM-based authentication is connection oriented instead of request oriented as other HTTP based authentication, it is important that only connections that have been authenticated with the correct username + password are reused. This was done properly for server connections already, but libcurl failed to do it properly for proxy connections using NTLM.
A libcurl application can easily switch user credentials used for a proxy connection between two requests, and that subsequent transfer then MUST make libcurl use another connection. libcurl previously failed to do so.
The effects of this flaw, is that the application could be reusing a proxy connection using the previously used credentials and thus it could be given to or prevented access from resources that it was not intended to.
This problem is very similar to CVE-2014-0015, which was for direct server connections while this is for proxy connections.
{ "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "package": "curl", "URL": "https://curl.se/docs/CVE-2016-0755.json", "severity": "Medium", "www": "https://curl.se/docs/CVE-2016-0755.html", "last_affected": "7.46.0" }