CVE-2024-11053 — Sensitive Information Exposure in Curl

CWE-200 — Sensitive Information Exposure15 documents10 sources

Severity

3.4LOWNVD

EPSS

0.9%

top 23.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl Netapp Ontap

Timeline

PublishedDec 11

Latest updateJun 22

Description

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages4 packages

▶NVDhaxx/curl7.76.0 — 8.11.1

▶Alpinehaxx/curl< 8.11.1-r0+5

▶Debianhaxx/curl< 7.88.1-10+deb12u10+2

▶CVEListV5curl/curl8.11.0 — 8.11.0+196

Also affects: Ontap 9

🔴Vulnerability Details

OSV

CVE-2024-11053: When asked to both use a `↗2024-12-11

▶

OSV

CVE-2024-11053: When asked to both use a `↗2024-12-11

▶

CVEList

netrc and redirect credential leak↗2024-12-11

▶

GHSA

GHSA-h288-5fq8-5pfw: When asked to both use a `↗2024-12-11

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (curl) — CVE-2024-11053↗2025-04-15

▶

Oracle

Oracle Oracle MySQL Risk Matrix: Enterprise Backup (curl) — CVE-2024-11053↗2025-01-15

▶

Ubuntu

curl vulnerability↗2024-12-16

▶

Red Hat

curl: curl netrc password leak↗2024-12-11

▶

Microsoft

netrc and redirect credential leak↗2024-12-10

▶

💬Community

HackerOne

Credential leak on redirect due to improper state clearing when parsing macdef in netrc.c↗2025-06-22

▶

HackerOne

CVE-2025-0167: netrc and default credential leak↗2025-02-07

▶

HackerOne

netrc and redirect credential leak↗2025-01-15

▶

HackerOne

CVE-2024-11053: netrc + redirect credential leak↗2024-12-11

▶