CVE-2023-27536: 
MySQL vulnerability analysis and mitigation

An authentication bypass vulnerability exists in libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPTGSSAPIDELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information (NIST NVD, Curl Advisory).

The vulnerability exists in the connection reuse feature of libcurl versions from 7.22.0 to and including 7.88.1. The issue stems from the GSS delegation setting being left out from the configuration match checks, making connections match too easily when performing krb5/kerberos/negotiate/GSSAPI transfers. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NIST NVD, NetApp Advisory).

The successful exploitation of this vulnerability could lead to unauthorized access to sensitive information. The vulnerability specifically affects krb5/kerberos/negotiate/GSSAPI transfers, where an attacker could potentially gain access to resources with incorrect permissions due to the connection reuse issue (Curl Advisory, NetApp Advisory).

The vulnerability has been fixed in curl version 8.0.0 and later. The safest option is to not reuse connections if the CURLOPTGSSAPIDELEGATION option has been changed. Organizations are advised to upgrade to the latest version of curl to address this vulnerability. Various vendors have released patches for their affected products, including Debian, Fedora, and NetApp (Debian Advisory, Fedora Update).