Vulnerability Details : CVE-2011-2192
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
Threat overview for CVE-2011-2192
Top countries where our scanners detected CVE-2011-2192
Top open port discovered on systems with this issue
8200
IPs affected by CVE-2011-2192 343
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2011-2192!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2011-2192
Probability of exploitation activity in the next 30 days: 0.23%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 60 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2011-2192
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2011-2192
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2192
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.html
[SECURITY] Fedora 15 Update: curl-7.21.3-8.fc15Mailing List;Third Party Advisory
-
http://secunia.com/advisories/48256
Sign inThird Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2011:116
mandriva.comThird Party Advisory
-
http://curl.haxx.se/docs/adv_20110623.html
curl - inappropriate GSSAPI delegation - CVE-2011-2192Vendor Advisory
-
http://www.redhat.com/support/errata/RHSA-2011-0918.html
SupportThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=711454
711454 – (CVE-2011-2192) CVE-2011-2192 curl: Improper delegation of client credentials during GSS negotiationIssue Tracking;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.html
[SECURITY] Fedora 14 Update: curl-7.21.0-8.fc14Mailing List;Third Party Advisory
-
http://curl.haxx.se/curl-gssapi-delegation.patch
curl: page not foundBroken Link
-
http://www.securitytracker.com/id?1025713
cURL GSS/Negotiate Mechanism Discloses Credentials to Remote Servers - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.debian.org/security/2011/dsa-2271
Debian -- Security Information -- DSA-2271-1 curlThird Party Advisory
-
http://security.gentoo.org/glsa/glsa-201203-02.xml
cURL: Multiple vulnerabilities (GLSA 201203-02) — Gentoo securityThird Party Advisory
-
http://support.apple.com/kb/HT5130
About the security content of OS X Lion v10.7.3 and Security Update 2012-001 - Apple SupportThird Party Advisory
-
http://www.ubuntu.com/usn/USN-1158-1
USN-1158-1: curl vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
Apple - Lists.apple.comMailing List;Third Party Advisory
Products affected by CVE-2011-2192
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:14:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*