{"id":"CURL-CVE-2011-2192","summary":"inappropriate GSSAPI delegation","details":"When doing GSSAPI authentication, libcurl unconditionally performs\ncredential delegation. This hands the server a copy of the client's security\ncredentials, allowing the server to impersonate the client to any other\nusing the same GSSAPI mechanism. This is obviously a sensitive operation,\nwhich should only be done when the user explicitly so directs.\n\nThe GSS/Negotiate feature is only used by libcurl for HTTP authentication if\ntold to, and only if libcurl was built with a library that provides the\nGSSAPI. Many builds of libcurl do not have GSS enabled.","aliases":["CVE-2011-2192"],"modified":"2026-04-25T16:17:54.134861Z","published":"2011-06-23T08:00:00Z","database_specific":{"affects":"both","URL":"https://curl.se/docs/CVE-2011-2192.json","last_affected":"7.21.6","severity":"Medium","package":"curl","www":"https://curl.se/docs/CVE-2011-2192.html","CWE":{"id":"CWE-281","desc":"Improper Preservation of Permissions"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.10.6"},{"fixed":"7.21.7"}]}],"versions":["7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2011-2192.json"}}],"schema_version":"1.7.5","credits":[{"name":"Richard Silverman","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"},{"name":"Dan Fandrich","type":"OTHER"},{"name":"Julien Chaffraix","type":"OTHER"}]}