CVE-2024-11053

low

Description

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

References

https://hackerone.com/reports/2829063

https://curl.se/docs/CVE-2024-11053.json

https://curl.se/docs/CVE-2024-11053.html

http://www.openwall.com/lists/oss-security/2024/12/11/1

Details

Source: Mitre, NVD

Published: 2024-12-11

Updated: 2024-12-15

Risk Information

CVSS v2

Base Score: 4.9

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 3.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Severity: Low