PT-2024-9413 · Curl+13 · Curl+13
Daniel Stenberg
+1
·
Published
2024-11-08
·
Updated
2026-05-18
·
CVE-2024-11053
CVSS v2.0
9.4
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions:
curl versions 6.5 through 8.11.0
Description:
The issue arises when curl is used with a
.netrc file for credentials and follows HTTP redirects. Under certain circumstances, curl could leak the password used for the first host to the followed-to host. This flaw only manifests itself if the .netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.Recommendations:
For versions 6.5 through 8.11.0, upgrade to version 8.11.1 or later to mitigate the risk of credential leakage. As a temporary workaround, consider avoiding the use of
.netrc files with curl or restricting access to sensitive information when following HTTP redirects.Exploit
Fix
DoS
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Debian
Ibm Aix
Linuxmint
Mysql Server
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Curl