{
  "threat_severity" : "Moderate",
  "public_date" : "2023-03-20T00:00:00Z",
  "bugzilla" : {
    "description" : "curl: GSS delegation too eager connection re-use",
    "id" : "2179092",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2179092"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-305",
  "details" : [ "An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.", "A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, the GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers." ],
  "acknowledgement" : "Red Hat would like to thank Daniel Stenberg and Harry Sintonen for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-08-08T00:00:00Z",
    "advisory" : "RHSA-2023:4523",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "curl-0:7.61.1-30.el8_8.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0428",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.6",
    "package" : "curl-0:7.61.1-22.el8_6.12"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6679",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "curl-0:7.76.1-26.el9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6679",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "curl-0:7.76.1-26.el9"
  } ],
  "package_state" : [ {
    "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux",
    "fix_state" : "Out of support scope",
    "package_name" : "rh-dotnet31-curl",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Affected",
    "package_name" : "jbcs-httpd24-curl",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-27536\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-27536\nhttps://curl.se/docs/CVE-2023-27536.html" ],
  "name" : "CVE-2023-27536",
  "csaw" : false
}