CURL-CVE-2024-11053
- Source
- https://curl.se/docs/CVE-2024-11053.html
- Import Source
- https://curl.se/docs/CURL-CVE-2024-11053.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CURL-CVE-2024-11053
- Aliases
- Published
- 2024-12-11T08:00:00Z
- Modified
- 2025-09-15T12:12:51Z
- Summary
- netrc and redirect credential leak
- Details
-
When asked to both use a
.netrcfile for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
- Database specific
{ "affects": "both", "last_affected": "8.11.0", "CWE": { "desc": "Exposure of Sensitive Information to an Unauthorized Actor", "id": "CWE-200" }, "www": "https://curl.se/docs/CVE-2024-11053.html", "package": "curl", "issue": "https://hackerone.com/reports/2829063", "award": { "currency": "USD", "amount": "505" }, "URL": "https://curl.se/docs/CVE-2024-11053.json", "severity": "Low" }- References
-
- Credits
-
-
- Harry Sintonen - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.76.0Fixed8.11.1
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0
7.88.0
7.88.1
8.*
8.0.0
8.0.1
8.1.0
8.1.1
8.1.2
8.10.0
8.10.1
8.11.0
8.2.0
8.2.1
8.3.0
8.4.0
8.5.0
8.6.0
8.7.0
8.7.1
8.8.0
8.9.0
8.9.1
Database specific
{
"vanir_signatures": [
{
"source": "https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "lib/url.c",
"function": "override_login"
},
"digest": {
"length": 2472.0,
"function_hash": "285823273903469814391915165331238113855"
},
"id": "CURL-CVE-2024-11053-09ea3efb"
},
{
"source": "https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "tests/unit/unit1304.c"
},
"digest": {
"line_hashes": [
"212475679540259253612427341751147919602",
"316070286574071712031422804892159775626",
"172595707867558602092245272494503958366",
"5515597790412360145148279975364442848",
"112602484898780047158531616989847857065",
"273848950808497493554961548277753504793",
"250025236245734490236654216144409564950",
"267419157018597400078014976653077576329",
"226908033118161122998475485214091309012",
"58375534632879165634244552849478415103",
"241442177734212412344211505659513955131",
"290088254368300499731432103117139671267",
"35817278990275342148130659999354816092",
"284535861622186449496108509149422784961",
"312059361359643448341587708320618091742",
"338089543908075044876358933922158216464",
"26300263987211900128011014139568763256",
"113774321053796375165517910052778004658",
"64955029439143167761562466926490164940",
"234920301200260132204461808180285853166",
"231690691005660723242949955560379895491",
"221592017353720759110650963270684242213",
"66516779113618437140046527592168730398",
"333051200875337953677037911045990720690",
"182928445979017646116640850322265506882",
"218340230464004107956799599901837966256",
"257151909097333246726120657678980774511",
"191200155237469939310075560407774257606",
"1293038439922184603769950643807637003",
"326120904920674200286344301266618027691",
"113774321053796375165517910052778004658",
"64955029439143167761562466926490164940",
"234920301200260132204461808180285853166",
"323351875711896985163600058886128408789",
"127177553610765635918952680577195793768",
"241442177734212412344211505659513955131",
"290088254368300499731432103117139671267",
"35817278990275342148130659999354816092",
"218340230464004107956799599901837966256",
"257151909097333246726120657678980774511",
"191200155237469939310075560407774257606",
"1293038439922184603769950643807637003",
"221596811638999884383696464011636858679",
"118909991967625929810927433032269172502",
"167798973239357238219322457088054443094",
"174621362557949092938570322825551393543",
"231690691005660723242949955560379895491",
"221592017353720759110650963270684242213",
"66516779113618437140046527592168730398",
"333051200875337953677037911045990720690",
"182928445979017646116640850322265506882",
"235795689787596802895923677594871596768",
"81745184272522747123538169107553751221",
"281477735145063647363822654522788479746",
"173366951619969649982683977049317874357",
"247233752197142446423945583963224563231",
"104586504569667897203446942376618261159",
"281669945698595644437262270102406659106",
"162098682461821994809409653183392207365",
"231690691005660723242949955560379895491",
"221592017353720759110650963270684242213",
"66516779113618437140046527592168730398",
"333051200875337953677037911045990720690",
"182928445979017646116640850322265506882",
"56345804979474238362055352953234513703",
"82316515023442503377749900479495622666",
"171270217995424147814391711267191078134",
"329674154350449285872905063101653424752",
"235160680041772171750355280663790707218",
"227371604719806699446960265527732526551",
"235367082176382978240634610719437720751",
"145600004680760519137621668664774635607",
"231690691005660723242949955560379895491",
"300062826411453613843079148556942133142",
"108313579775056425290379205072513702474",
"72714589773918683253646605220498409789",
"50670018570742778310658121459119778594",
"60151129493577326689397498727718693002",
"300062826411453613843079148556942133142",
"108313579775056425290379205072513702474",
"123144152066758044129941748179598536357",
"118997828272104980501264266703493934406",
"184637392849701310186095366276795286811",
"235367082176382978240634610719437720751",
"145600004680760519137621668664774635607",
"251359696919979946364045563079210948206",
"7813622514640757408785781809721975136",
"108313579775056425290379205072513702474",
"72714589773918683253646605220498409789",
"50670018570742778310658121459119778594",
"158519380846143551510230436165397908079"
],
"threshold": 0.9
},
"id": "CURL-CVE-2024-11053-226acfb4"
},
{
"source": "https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "lib/netrc.c",
"function": "parsenetrc"
},
"digest": {
"length": 3159.0,
"function_hash": "201203478480787820716623313081020003338"
},
"id": "CURL-CVE-2024-11053-2377ced5"
},
{
"source": "https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "lib/url.c"
},
"digest": {
"line_hashes": [
"273128057981381870895141465273527616887",
"100171474653047138978537895794272481270",
"137595094093845842472638125049800161235",
"257413363146060287578252405522080401062",
"215226910968509155171059000644944548227",
"119025104827652102998393169110625017430",
"89756789500450552438503087515901668493",
"82925719441122033515501632152836041874",
"324426282028911715059549428184792503621",
"185319140254176994703651705746950063083",
"160175860096740286058098722510082855800",
"292996584491790417072072538344081535700",
"239449722674074035846340907505520192357",
"309974997253687394347929710041054715829",
"245823585981030731012309285144548900914",
"151223071099734776999544738942114725312",
"67030651696561444076868024791519966907",
"26912509453408518916529033489083425811",
"170701111692929943582713325401714469907",
"2041959623418349609217426279822721938",
"213397273903554194918548191313782290481",
"21617674931801500876850589593146903073",
"90724783242593409602050754002068493996",
"214422907083247254618988308214324258161"
],
"threshold": 0.9
},
"id": "CURL-CVE-2024-11053-69170025"
},
{
"source": "https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "tests/unit/unit1304.c",
"function": "unit_setup"
},
"digest": {
"length": 227.0,
"function_hash": "83883397545199438522891454098020556407"
},
"id": "CURL-CVE-2024-11053-94dc8319"
},
{
"source": "https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "lib/netrc.c"
},
"digest": {
"line_hashes": [
"241612819622423534325448240596066106578",
"111397327889974961154843024775676086769",
"93569992433002637422102222124885892459",
"84204156172315740842922665703643940938",
"328213109549330538835914557221609739960",
"180125212198080723370962040297931090879",
"311565787860474627391290298212551700069",
"162045309045682678489379015441390873849",
"117401939028093956506578485951084820658",
"213910324373979756882913623476561226130",
"141894160291812281203137495498299853673",
"39120575367157536332767467226019611208",
"76055014083823703623273354258550518464",
"75154033966428586491753881111883193140",
"267373601200109012433488238925799412440",
"276577626319667774210565329137758945637",
"155406248171140717045502925633687972170",
"51612376393377177169962038974183692349",
"227999772579119996670887848688334797839",
"241036828109288775831836584227436965727",
"74777132886166488109238846663931146377",
"307994414468135698334575005520066347863",
"20118759641905270202877666845430198975",
"81137745712633374669032250454508027525",
"49298783546116937225656736185430174891",
"120783352671565299360552886261263742501",
"42914882290244323572459763699412307895",
"89648311322704822645775394373472157064",
"220019710397190646346858218895108623168",
"328824252085770345946485947062940217864",
"301149405252039762830934244463371605896",
"249751107803269942684398983439267745773",
"244995809674609325632499130380563726748",
"269856856099793665483536014653742968488",
"166267962492050268143861681077639815602",
"177212773188924150441968534032399567267",
"220259856520527035620310928060456047021",
"262547567494582946993041232254270389214",
"149579152916167467000465693427655264406",
"145589396836837317446826044046079374177",
"91603560304433290620900286872108993685",
"112179243782536447944730639882504675980",
"166808073356876705795804122522034062328",
"288068187700014760583387393338384766333",
"248748954725755537387278005880616497683",
"212686288401402926681344563306713671877",
"29840892708419470348652860154467991154",
"139919501900266425115979507948875376815",
"213340175991499229604341493266362850880",
"170638605563253917478920964163057752957",
"100428231478222866783617359351061346242",
"148935336961555541520371488541084750869",
"242380124213190564511584528386235066200",
"49762084402834969080207300103990018150",
"264906091167660193596416528326555378137",
"207437395724727213077271242747890737029",
"299496203543392159441943206183863153296",
"80938102395488709328680624443922386809",
"280200693949034250180986440612377357320",
"264514975460460512882535607203377394043",
"236388490898099608179003312129990368453",
"100690282458299211927264679624959026978",
"115237165177408012617077496583191190612",
"225491131688708140188201745123205347103",
"190656694115120670710830057510764676965",
"167075341956030455055712422252440734898",
"61852695694431057132478802349045126132",
"45002743553207628249025199830414936760",
"186742466746475940710256963863285550839",
"264671650469516789816103320976483064650",
"261820503761606408762224858683658037540",
"330859933668495699998782350309453310179",
"121302837183156990849155001306191905654",
"250620410818996823631569467358771531067",
"278417318836592612976995580251134336434",
"245782362349635736973070687426616639359",
"224813960687046674733745223427853988918",
"98897033465203303162009710396279706274",
"119392965194065397928972385516038369816",
"133936108068250915939891072765614789367",
"72515062628090659649121000562452227721",
"178578887918836125652635271656417117191",
"215096574127567619501248155265476498764",
"93561380377915133196485500888602590885",
"6607505613713292393081213092960891219",
"10060585176848009434584283254773152969",
"258350193968336532876103977056053643959",
"314363834987760583059279227647928202308",
"230858537292074969947798634854901589859",
"38476258370141851968027791623727799772",
"315796763271929323364338993623437805673",
"136722592113136996386832862542763492252",
"6284367716173937902893382909789388693",
"61222916801896571117796076152249809313",
"299231762418682593509935497221585778573",
"239684088203193554108241243353974326615",
"148699617553212007421872411200686682407",
"203183486501276299598355755114555523815",
"143466341150358524457284154722289500796"
],
"threshold": 0.9
},
"id": "CURL-CVE-2024-11053-dbeb0843"
}
]
}