Description
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
Reserved 2024-11-09 | Published 2024-12-11 | Updated 2024-12-15 | Assigner
curlProblem types
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Product status
Default status
unaffected
8.11.0
affected
8.10.1
affected
8.10.0
affected
8.9.1
affected
8.9.0
affected
8.8.0
affected
8.7.1
affected
8.7.0
affected
8.6.0
affected
8.5.0
affected
8.4.0
affected
8.3.0
affected
8.2.1
affected
8.2.0
affected
8.1.2
affected
8.1.1
affected
8.1.0
affected
8.0.1
affected
8.0.0
affected
7.88.1
affected
7.88.0
affected
7.87.0
affected
7.86.0
affected
7.85.0
affected
7.84.0
affected
7.83.1
affected
7.83.0
affected
7.82.0
affected
7.81.0
affected
7.80.0
affected
7.79.1
affected
7.79.0
affected
7.78.0
affected
7.77.0
affected
7.76.1
affected
7.76.0
affected
7.75.0
affected
7.74.0
affected
7.73.0
affected
7.72.0
affected
7.71.1
affected
7.71.0
affected
7.70.0
affected
7.69.1
affected
7.69.0
affected
7.68.0
affected
7.67.0
affected
7.66.0
affected
7.65.3
affected
7.65.2
affected
7.65.1
affected
7.65.0
affected
7.64.1
affected
7.64.0
affected
7.63.0
affected
7.62.0
affected
7.61.1
affected
7.61.0
affected
7.60.0
affected
7.59.0
affected
7.58.0
affected
7.57.0
affected
7.56.1
affected
7.56.0
affected
7.55.1
affected
7.55.0
affected
7.54.1
affected
7.54.0
affected
7.53.1
affected
7.53.0
affected
7.52.1
affected
7.52.0
affected
7.51.0
affected
7.50.3
affected
7.50.2
affected
7.50.1
affected
7.50.0
affected
7.49.1
affected
7.49.0
affected
7.48.0
affected
7.47.1
affected
7.47.0
affected
7.46.0
affected
7.45.0
affected
7.44.0
affected
7.43.0
affected
7.42.1
affected
7.42.0
affected
7.41.0
affected
7.40.0
affected
7.39.0
affected
7.38.0
affected
7.37.1
affected
7.37.0
affected
7.36.0
affected
7.35.0
affected
7.34.0
affected
7.33.0
affected
7.32.0
affected
7.31.0
affected
7.30.0
affected
7.29.0
affected
7.28.1
affected
7.28.0
affected
7.27.0
affected
7.26.0
affected
7.25.0
affected
7.24.0
affected
7.23.1
affected
7.23.0
affected
7.22.0
affected
7.21.7
affected
7.21.6
affected
7.21.5
affected
7.21.4
affected
7.21.3
affected
7.21.2
affected
7.21.1
affected
7.21.0
affected
7.20.1
affected
7.20.0
affected
7.19.7
affected
7.19.6
affected
7.19.5
affected
7.19.4
affected
7.19.3
affected
7.19.2
affected
7.19.1
affected
7.19.0
affected
7.18.2
affected
7.18.1
affected
7.18.0
affected
7.17.1
affected
7.17.0
affected
7.16.4
affected
7.16.3
affected
7.16.2
affected
7.16.1
affected
7.16.0
affected
7.15.5
affected
7.15.4
affected
7.15.3
affected
7.15.2
affected
7.15.1
affected
7.15.0
affected
7.14.1
affected
7.14.0
affected
7.13.2
affected
7.13.1
affected
7.13.0
affected
7.12.3
affected
7.12.2
affected
7.12.1
affected
7.12.0
affected
7.11.2
affected
7.11.1
affected
7.11.0
affected
7.10.8
affected
7.10.7
affected
7.10.6
affected
7.10.5
affected
7.10.4
affected
7.10.3
affected
7.10.2
affected
7.10.1
affected
7.10
affected
7.9.8
affected
7.9.7
affected
7.9.6
affected
7.9.5
affected
7.9.4
affected
7.9.3
affected
7.9.2
affected
7.9.1
affected
7.9
affected
7.8.1
affected
7.8
affected
7.7.3
affected
7.7.2
affected
7.7.1
affected
7.7
affected
7.6.1
affected
7.6
affected
7.5.2
affected
7.5.1
affected
7.5
affected
7.4.2
affected
7.4.1
affected
7.4
affected
7.3
affected
7.2.1
affected
7.2
affected
7.1.1
affected
7.1
affected
6.5.2
affected
6.5.1
affected
6.5
affected
Credits
Harry Sintonen finder
Daniel Stenberg remediation developer
References
curl.se/docs/CVE-2024-11053.json (json)
curl.se/docs/CVE-2024-11053.html (www)
hackerone.com/reports/2829063 (issue)
cve.org (CVE-2024-11053)
nvd.nist.gov (CVE-2024-11053)
Download JSON
Subscribe to our newsletter to learn more about our work.