CVE-2024-11053
LOWcurl 7.76.0-8.11.1 - Credential Leak via .netrc File and HTTP Redirect
Title source: llmDescription
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
References (7)
Core 7
Core References
Vendor Advisory
https://curl.se/docs/CVE-2024-11053.html
Vendor Advisory
https://curl.se/docs/CVE-2024-11053.json
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/2829063
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/12/11/1
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250124-0012/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0003/
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250131-0004/
Scores
CVSS v3
3.4
EPSS
0.0140
EPSS Percentile
80.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
Status
published
Products (11)
haxx/curl
7.76.0 - 8.11.1
netapp/bootstrap_os
netapp/h300s_firmware
netapp/h410s_firmware
netapp/h500s_firmware
netapp/h610c_firmware
netapp/h610s_firmware
netapp/h615c_firmware
netapp/h700s_firmware
netapp/ontap
9
... and 1 more
Published
Dec 11, 2024
Tracked Since
Feb 18, 2026