CVE-2016-0755

Published on: 01/29/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:14 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Certain versions of Ubuntu Linux from Canonical contain the following vulnerability:

The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.

  • CVE-2016-0755 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.3 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED LOW LOW LOW

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
openSUSE-SU-2016:0360-1: moderate: Security update for curl lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0360
The Slackware Linux Project: Slackware Security Advisories www.slackware.com
text/html
URL Logo SLACKWARE SSA:2016-039-01
About the security content of macOS Sierra 10.12 - Apple Support support.apple.com
text/html
URL Logo CONFIRM support.apple.com/HT207170
openSUSE-SU-2016:0376-1: moderate: Security update for curl lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0376
Slackware Security Advisory - curl Updates ≈ Packet Storm packetstormsecurity.com
text/html
URL Logo MISC packetstormsecurity.com/files/135695/Slackware-Security-Advisory-curl-Updates.html
libcurl Lets Remote Users Bypass NTLM Proxy Authentication on the Target System - SecurityTracker www.securitytracker.com
text/html
URL Logo SECTRACK 1034882
[SECURITY] Fedora 23 Update: mingw-curl-7.47.0-1.fc23 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-55137a3adb
APPLE-SA-2016-09-20 macOS Sierra 10.12 lists.apple.com
text/html
URL Logo APPLE APPLE-SA-2016-09-20
USN-2882-1: curl vulnerability | Ubuntu www.ubuntu.com
text/html
URL Logo UBUNTU USN-2882-1
openSUSE-SU-2016:0373-1: moderate: Security update for curl lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0373
curl - NTLM credentials not-checked for proxy connection re-use Vendor Advisory
curl.haxx.se
text/html
URL Logo CONFIRM curl.haxx.se/docs/adv_20160127A.html
cURL/libcURL NTLM Connection CVE-2016-0755 Remote Security Bypass Vulnerability cve.report (archive)
text/html
URL Logo BID 82307
Debian -- Security Information -- DSA-3455-1 curl www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-3455
[SECURITY] Fedora 22 Update: curl-7.40.0-8.fc22 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-3fa315a5dd
CPU Oct 2018 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
[SECURITY] Fedora 22 Update: mingw-curl-7.47.0-1.fc22 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-5a141de5d9
cURL: Multiple vulnerabilities (GLSA 201701-47) — Gentoo security security.gentoo.org
text/html
URL Logo GENTOO GLSA-201701-47
[SECURITY] Fedora 23 Update: curl-7.43.0-5.fc23 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-57bebab3b6

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
CanonicalUbuntu Linux12.04AllAllAll
Operating
System
CanonicalUbuntu Linux14.04AllAllAll
Operating
System
CanonicalUbuntu Linux15.04AllAllAll
Operating
System
CanonicalUbuntu Linux15.10AllAllAll
Operating
System
CanonicalUbuntu Linux12.04AllAllAll
Operating
System
CanonicalUbuntu Linux14.04AllAllAll
Operating
System
CanonicalUbuntu Linux15.04AllAllAll
Operating
System
CanonicalUbuntu Linux15.10AllAllAll
Operating
System
DebianDebian Linux7.0AllAllAll
Operating
System
DebianDebian Linux7.0AllAllAll
ApplicationHaxxCurlAllAllAllAll
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*: