CVE-2011-2192 | Vulnerability Database | Aqua Security

The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.

Affected Software

Name	Vendor	Start Version	End Version
Libcurl	Haxx	7.10.6 (including)	7.21.6 (including)
Curl	Ubuntu	hardy	*
Curl	Ubuntu	lucid	*
Curl	Ubuntu	maverick	*
Curl	Ubuntu	natty	*
Curl	Ubuntu	upstream	*
Red Hat Enterprise Linux 4	RedHat	curl-0:7.12.1-17.el4	*
Red Hat Enterprise Linux 5	RedHat	curl-0:7.15.5-9.el5_6.3	*
Red Hat Enterprise Linux 6	RedHat	curl-0:7.19.7-26.el6_1.1	*

References

http://curl.haxx.se/curl-gssapi-delegation.patch
http://curl.haxx.se/docs/adv_20110623.html
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062287.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061992.html
http://secunia.com/advisories/45047
http://secunia.com/advisories/45067
http://secunia.com/advisories/45088
http://secunia.com/advisories/45144
http://secunia.com/advisories/45181
http://secunia.com/advisories/48256
http://security.gentoo.org/glsa/glsa-201203-02.xml
http://support.apple.com/kb/HT5130
http://www.debian.org/security/2011/dsa-2271
http://www.mandriva.com/security/advisories?name=MDVSA-2011:116
http://www.redhat.com/support/errata/RHSA-2011-0918.html
http://www.securitytracker.com/id?1025713
http://www.ubuntu.com/usn/USN-1158-1
https://bugzilla.redhat.com/show_bug.cgi?id=711454

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-2192
CWE	https://cwe.mitre.org/data/definitions/255.html