libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to doing the second transfer with the wrong credentials.
libcurl keeps previously used connections in a connection pool for subsequent
transfers to reuse if one of them matches the setup. However, several FTP
settings were left out from the configuration match checks, making them match
too easily. The settings in questions are CURLOPT_FTP_ACCOUNT
,
CURLOPT_FTP_ALTERNATIVE_TO_USER
, CURLOPT_FTP_SSL_CCC
and CURLOPT_USE_SSL
level.
{ "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "2400", "currency": "USD" }, "URL": "https://curl.se/docs/CVE-2023-27535.json", "package": "curl", "severity": "Medium", "issue": "https://hackerone.com/reports/1892780", "www": "https://curl.se/docs/CVE-2023-27535.html", "last_affected": "7.88.1" }