CVE-2024-11053
LOWDescription
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
CVSS v3.1 Score
Affected Products
| Vendor | Product |
|---|---|
| haxx | curl |
| netapp | ontap |
| netapp | ontap_select_deploy_administration_utility |
| netapp | h610c_firmware |
| netapp | h610c |
| netapp | h610s_firmware |
| netapp | h610s |
| netapp | h615c_firmware |
| netapp | h615c |
| netapp | h700s_firmware |
| netapp | h700s |
| netapp | bootstrap_os |
| netapp | hci_compute_node |
| netapp | h300s_firmware |
| netapp | h300s |
| netapp | h410s_firmware |
| netapp | h410s |
| netapp | h500s_firmware |
| netapp | h500s |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2024-11053? +
How severe is CVE-2024-11053? +
What products are affected by CVE-2024-11053? +
How do I check if I'm vulnerable to CVE-2024-11053? +
Related Vulnerabilities
Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the …
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes …
libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the …
The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the …
When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with …
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the …