CVE-2012-4545 — elinks - programming error

Description

The http_negotiate_create_context function in protocol/http/http_negotiate.c in ELinks 0.12 before 0.12pre6, when using HTTP Negotiate or GSS-Negotiate authentication, delegates user credentials through GSSAPI, which allows remote servers to authenticate as the client via the delegated credentials.

How to fix CVE-2012-4545

To remediate CVE-2012-4545, upgrade the affected package to a fixed version below.

Debian/elinks—upgrade to 0.12~pre5-9 or later
Debian/elinks—upgrade to 0.12~pre5-2+squeeze1 or later

Is CVE-2012-4545 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.12~pre5-9
from 0, < 0.12~pre5-2+squeeze1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-4545