Vulnerabilities > CVE-2017-2628 - Unspecified vulnerability in Haxx Curl 7.19.7
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 3 |
Nessus
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0059.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - treat Negotiate authentication as connection-oriented (CVE-2017-2628) - fix a bug in DNS caching code that causes a memory leak (#1302893) - SSH: make CURLOPT_SSH_PUBLIC_KEYFILE treat last seen 2020-06-01 modified 2020-06-02 plugin id 99113 published 2017-03-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99113 title OracleVM 3.3 / 3.4 : curl (OVMSA-2017-0059) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0847.NASL description An update for curl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628) This issue was discovered by Paulo Andrade (Red Hat). last seen 2020-06-01 modified 2020-06-02 plugin id 99335 published 2017-04-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99335 title RHEL 6 : curl (RHSA-2017:0847) NASL family Scientific Linux Local Security Checks NASL id SL_20170329_CURL_ON_SL6_X.NASL description Security Fix(es) : - It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628) last seen 2020-03-18 modified 2017-04-06 plugin id 99229 published 2017-04-06 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99229 title Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20170329) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0104_CURL.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has curl packages installed that are affected by a vulnerability: - It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127334 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127334 title NewStart CGSL MAIN 4.05 : curl Vulnerability (NS-SA-2019-0104) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-0847.NASL description From Red Hat Security Advisory 2017:0847 : An update for curl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628) This issue was discovered by Paulo Andrade (Red Hat). last seen 2020-06-01 modified 2020-06-02 plugin id 99075 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99075 title Oracle Linux 6 : curl (ELSA-2017-0847)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|