{"id":"CURL-CVE-2016-0755","summary":"NTLM credentials not-checked for proxy connection reuse","details":"libcurl reuses NTLM-authenticated proxy connections without properly making\nsure that the connection was authenticated with the same credentials as set\nfor this transfer.\n\nlibcurl maintains a pool of connections after a transfer has completed. The\npool of connections is then gone through when a new transfer is requested and\nif there is a live connection available that can be reused, it is preferred\ninstead of creating a new one.\n\nSince NTLM-based authentication is *connection oriented* instead of *request\noriented* as other HTTP based authentication, it is important that only\nconnections that have been authenticated with the correct username + password\nare reused. This was done properly for server connections already, but libcurl\nfailed to do it properly for proxy connections using NTLM.\n\nA libcurl application can easily switch user credentials used for a proxy\nconnection between two requests, and that subsequent transfer then MUST make\nlibcurl use another connection. libcurl previously failed to do so.\n\nThe effects of this flaw, is that the application could be reusing a proxy\nconnection using the previously used credentials and thus it could be given to\nor prevented access from resources that it was not intended to.\n\nThis problem is similar to\n[CVE-2014-0015](https://curl.se/docs/CVE-2014-0015.html), which was for\ndirect server connections while this is for proxy connections.","aliases":["CVE-2016-0755"],"modified":"2025-11-12T00:50:45Z","published":"2016-01-27T08:00:00Z","database_specific":{"CWE":{"id":"CWE-305","desc":"Authentication Bypass by Primary Weakness"},"package":"curl","last_affected":"7.46.0","affects":"both","URL":"https://curl.se/docs/CVE-2016-0755.json","www":"https://curl.se/docs/CVE-2016-0755.html","severity":"Medium"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.10.7"},{"fixed":"7.47.0"}]}],"versions":["7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2016-0755.json"}}],"schema_version":"1.7.3","credits":[{"name":"Isaac Boukris","type":"FINDER"},{"name":"Isaac Boukris","type":"REMEDIATION_DEVELOPER"}]}