CVE-2024-11053

Summary

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Affected Software

VendorProductVersion RangeStatus
curlcurl8.11.0 <= 8.11.0affected
curlcurl8.10.1 <= 8.10.1affected
curlcurl8.10.0 <= 8.10.0affected
curlcurl8.9.1 <= 8.9.1affected
curlcurl8.9.0 <= 8.9.0affected
curlcurl8.8.0 <= 8.8.0affected
curlcurl8.7.1 <= 8.7.1affected
curlcurl8.7.0 <= 8.7.0affected
curlcurl8.6.0 <= 8.6.0affected
curlcurl8.5.0 <= 8.5.0affected
curlcurl8.4.0 <= 8.4.0affected
curlcurl8.3.0 <= 8.3.0affected
curlcurl8.2.1 <= 8.2.1affected
curlcurl8.2.0 <= 8.2.0affected
curlcurl8.1.2 <= 8.1.2affected
curlcurl8.1.1 <= 8.1.1affected
curlcurl8.1.0 <= 8.1.0affected
curlcurl8.0.1 <= 8.0.1affected
curlcurl8.0.0 <= 8.0.0affected
curlcurl7.88.1 <= 7.88.1affected
curlcurl7.88.0 <= 7.88.0affected
curlcurl7.87.0 <= 7.87.0affected
curlcurl7.86.0 <= 7.86.0affected
curlcurl7.85.0 <= 7.85.0affected
curlcurl7.84.0 <= 7.84.0affected
curlcurl7.83.1 <= 7.83.1affected
curlcurl7.83.0 <= 7.83.0affected
curlcurl7.82.0 <= 7.82.0affected
curlcurl7.81.0 <= 7.81.0affected
curlcurl7.80.0 <= 7.80.0affected
curlcurl7.79.1 <= 7.79.1affected
curlcurl7.79.0 <= 7.79.0affected
curlcurl7.78.0 <= 7.78.0affected
curlcurl7.77.0 <= 7.77.0affected
curlcurl7.76.1 <= 7.76.1affected
curlcurl7.76.0 <= 7.76.0affected
curlcurl7.75.0 <= 7.75.0affected
curlcurl7.74.0 <= 7.74.0affected
curlcurl7.73.0 <= 7.73.0affected
curlcurl7.72.0 <= 7.72.0affected
curlcurl7.71.1 <= 7.71.1affected
curlcurl7.71.0 <= 7.71.0affected
curlcurl7.70.0 <= 7.70.0affected
curlcurl7.69.1 <= 7.69.1affected
curlcurl7.69.0 <= 7.69.0affected
curlcurl7.68.0 <= 7.68.0affected
curlcurl7.67.0 <= 7.67.0affected
curlcurl7.66.0 <= 7.66.0affected
curlcurl7.65.3 <= 7.65.3affected
curlcurl7.65.2 <= 7.65.2affected
curlcurl7.65.1 <= 7.65.1affected
curlcurl7.65.0 <= 7.65.0affected
curlcurl7.64.1 <= 7.64.1affected
curlcurl7.64.0 <= 7.64.0affected
curlcurl7.63.0 <= 7.63.0affected
curlcurl7.62.0 <= 7.62.0affected
curlcurl7.61.1 <= 7.61.1affected
curlcurl7.61.0 <= 7.61.0affected
curlcurl7.60.0 <= 7.60.0affected
curlcurl7.59.0 <= 7.59.0affected
curlcurl7.58.0 <= 7.58.0affected
curlcurl7.57.0 <= 7.57.0affected
curlcurl7.56.1 <= 7.56.1affected
curlcurl7.56.0 <= 7.56.0affected
curlcurl7.55.1 <= 7.55.1affected
curlcurl7.55.0 <= 7.55.0affected
curlcurl7.54.1 <= 7.54.1affected
curlcurl7.54.0 <= 7.54.0affected
curlcurl7.53.1 <= 7.53.1affected
curlcurl7.53.0 <= 7.53.0affected
curlcurl7.52.1 <= 7.52.1affected
curlcurl7.52.0 <= 7.52.0affected
curlcurl7.51.0 <= 7.51.0affected
curlcurl7.50.3 <= 7.50.3affected
curlcurl7.50.2 <= 7.50.2affected
curlcurl7.50.1 <= 7.50.1affected
curlcurl7.50.0 <= 7.50.0affected
curlcurl7.49.1 <= 7.49.1affected
curlcurl7.49.0 <= 7.49.0affected
curlcurl7.48.0 <= 7.48.0affected
curlcurl7.47.1 <= 7.47.1affected
curlcurl7.47.0 <= 7.47.0affected
curlcurl7.46.0 <= 7.46.0affected
curlcurl7.45.0 <= 7.45.0affected
curlcurl7.44.0 <= 7.44.0affected
curlcurl7.43.0 <= 7.43.0affected
curlcurl7.42.1 <= 7.42.1affected
curlcurl7.42.0 <= 7.42.0affected
curlcurl7.41.0 <= 7.41.0affected
curlcurl7.40.0 <= 7.40.0affected
curlcurl7.39.0 <= 7.39.0affected
curlcurl7.38.0 <= 7.38.0affected
curlcurl7.37.1 <= 7.37.1affected
curlcurl7.37.0 <= 7.37.0affected
curlcurl7.36.0 <= 7.36.0affected
curlcurl7.35.0 <= 7.35.0affected
curlcurl7.34.0 <= 7.34.0affected
curlcurl7.33.0 <= 7.33.0affected
curlcurl7.32.0 <= 7.32.0affected
curlcurl7.31.0 <= 7.31.0affected
curlcurl7.30.0 <= 7.30.0affected
curlcurl7.29.0 <= 7.29.0affected
curlcurl7.28.1 <= 7.28.1affected
curlcurl7.28.0 <= 7.28.0affected
curlcurl7.27.0 <= 7.27.0affected
curlcurl7.26.0 <= 7.26.0affected
curlcurl7.25.0 <= 7.25.0affected
curlcurl7.24.0 <= 7.24.0affected
curlcurl7.23.1 <= 7.23.1affected
curlcurl7.23.0 <= 7.23.0affected
curlcurl7.22.0 <= 7.22.0affected
curlcurl7.21.7 <= 7.21.7affected
curlcurl7.21.6 <= 7.21.6affected
curlcurl7.21.5 <= 7.21.5affected
curlcurl7.21.4 <= 7.21.4affected
curlcurl7.21.3 <= 7.21.3affected
curlcurl7.21.2 <= 7.21.2affected
curlcurl7.21.1 <= 7.21.1affected
curlcurl7.21.0 <= 7.21.0affected
curlcurl7.20.1 <= 7.20.1affected
curlcurl7.20.0 <= 7.20.0affected
curlcurl7.19.7 <= 7.19.7affected
curlcurl7.19.6 <= 7.19.6affected
curlcurl7.19.5 <= 7.19.5affected
curlcurl7.19.4 <= 7.19.4affected
curlcurl7.19.3 <= 7.19.3affected
curlcurl7.19.2 <= 7.19.2affected
curlcurl7.19.1 <= 7.19.1affected
curlcurl7.19.0 <= 7.19.0affected
curlcurl7.18.2 <= 7.18.2affected
curlcurl7.18.1 <= 7.18.1affected
curlcurl7.18.0 <= 7.18.0affected
curlcurl7.17.1 <= 7.17.1affected
curlcurl7.17.0 <= 7.17.0affected
curlcurl7.16.4 <= 7.16.4affected
curlcurl7.16.3 <= 7.16.3affected
curlcurl7.16.2 <= 7.16.2affected
curlcurl7.16.1 <= 7.16.1affected
curlcurl7.16.0 <= 7.16.0affected
curlcurl7.15.5 <= 7.15.5affected
curlcurl7.15.4 <= 7.15.4affected
curlcurl7.15.3 <= 7.15.3affected
curlcurl7.15.2 <= 7.15.2affected
curlcurl7.15.1 <= 7.15.1affected
curlcurl7.15.0 <= 7.15.0affected
curlcurl7.14.1 <= 7.14.1affected
curlcurl7.14.0 <= 7.14.0affected
curlcurl7.13.2 <= 7.13.2affected
curlcurl7.13.1 <= 7.13.1affected
curlcurl7.13.0 <= 7.13.0affected
curlcurl7.12.3 <= 7.12.3affected
curlcurl7.12.2 <= 7.12.2affected
curlcurl7.12.1 <= 7.12.1affected
curlcurl7.12.0 <= 7.12.0affected
curlcurl7.11.2 <= 7.11.2affected
curlcurl7.11.1 <= 7.11.1affected
curlcurl7.11.0 <= 7.11.0affected
curlcurl7.10.8 <= 7.10.8affected
curlcurl7.10.7 <= 7.10.7affected
curlcurl7.10.6 <= 7.10.6affected
curlcurl7.10.5 <= 7.10.5affected
curlcurl7.10.4 <= 7.10.4affected
curlcurl7.10.3 <= 7.10.3affected
curlcurl7.10.2 <= 7.10.2affected
curlcurl7.10.1 <= 7.10.1affected
curlcurl7.10 <= 7.10affected
curlcurl7.9.8 <= 7.9.8affected
curlcurl7.9.7 <= 7.9.7affected
curlcurl7.9.6 <= 7.9.6affected
curlcurl7.9.5 <= 7.9.5affected
curlcurl7.9.4 <= 7.9.4affected
curlcurl7.9.3 <= 7.9.3affected
curlcurl7.9.2 <= 7.9.2affected
curlcurl7.9.1 <= 7.9.1affected
curlcurl7.9 <= 7.9affected
curlcurl7.8.1 <= 7.8.1affected
curlcurl7.8 <= 7.8affected
curlcurl7.7.3 <= 7.7.3affected
curlcurl7.7.2 <= 7.7.2affected
curlcurl7.7.1 <= 7.7.1affected
curlcurl7.7 <= 7.7affected
curlcurl7.6.1 <= 7.6.1affected
curlcurl7.6 <= 7.6affected
curlcurl7.5.2 <= 7.5.2affected
curlcurl7.5.1 <= 7.5.1affected
curlcurl7.5 <= 7.5affected
curlcurl7.4.2 <= 7.4.2affected
curlcurl7.4.1 <= 7.4.1affected
curlcurl7.4 <= 7.4affected
curlcurl7.3 <= 7.3affected
curlcurl7.2.1 <= 7.2.1affected
curlcurl7.2 <= 7.2affected
curlcurl7.1.1 <= 7.1.1affected
curlcurl7.1 <= 7.1affected
curlcurl6.5.2 <= 6.5.2affected
curlcurl6.5.1 <= 6.5.1affected
curlcurl6.5 <= 6.5affected

Weaknesses

  • CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References