CVE-2024-11053
LOW severity · CVSS 3.4
3.4CVSS LOW
Summary
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges requiredNone
User interactionRequired
Confidentiality impactLow
Integrity impactNone
Availability impactNone
Exploit probability (EPSS)1%
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Affected products we track (2)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://curl.se/docs/CVE-2024-11053.htmlAdvisory
- https://curl.se/docs/CVE-2024-11053.jsonAdvisory
- http://www.openwall.com/lists/oss-security/2024/12/11/1Advisory
- https://security.netapp.com/advisory/ntap-20250124-0012/Advisory
- https://security.netapp.com/advisory/ntap-20250131-0003/Advisory
- https://security.netapp.com/advisory/ntap-20250131-0004/
- https://hackerone.com/reports/2829063Advisory