CVE-2011-2192 | Vulnerability Database | Aqua Security

The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.

Affected Software

Name	Vendor	Start Version	End Version
Libcurl	Haxx	7.10.6	7.21.6

References

http://curl.haxx.se/curl-gssapi-delegation.patch
http://curl.haxx.se/docs/adv_20110623.html
https://bugzilla.redhat.com/show_bug.cgi?id=711454
http://www.ubuntu.com/usn/USN-1158-1
http://www.redhat.com/support/errata/RHSA-2011-0918.html
http://secunia.com/advisories/45088
http://secunia.com/advisories/45181
http://secunia.com/advisories/45144
http://www.debian.org/security/2011/dsa-2271
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.html
http://www.securitytracker.com/id?1025713
http://www.mandriva.com/security/advisories?name=MDVSA-2011:116
http://secunia.com/advisories/45067
http://secunia.com/advisories/45047
http://support.apple.com/kb/HT5130
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
http://security.gentoo.org/glsa/glsa-201203-02.xml
http://secunia.com/advisories/48256

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-2192
CWE	https://cwe.mitre.org/data/definitions/255.html