CVE-2024-11053

LOW

curl - Info Disclosure

Title source: llm

Description

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

References (7)

[Vendor Advisory] https://curl.se/docs/CVE-2024-11053.html

[Vendor Advisory] https://curl.se/docs/CVE-2024-11053.json

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/2829063

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/12/11/1

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250124-0012/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250131-0003/

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20250131-0004/

Scores

CVSS v3 3.4

EPSS 0.0095

EPSS Percentile 76.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Classification

Status published

Affected Products (11)

haxx/curl < 8.11.1

netapp/ontap

netapp/ontap_select_deploy_administration_utility

netapp/h610c_firmware

netapp/h610s_firmware

netapp/h615c_firmware

netapp/h700s_firmware

netapp/bootstrap_os

netapp/h300s_firmware

netapp/h410s_firmware

netapp/h500s_firmware

Timeline

Published Dec 11, 2024

Tracked Since Feb 18, 2026