Skip to main content

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2024-11053

Severity Low
Score 3.4/10

Summary

When asked to both use a ".netrc" file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the "netrc" file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. This issue affects curl 6.5 through 8.11.0.

  • HIGH
  • NETWORK
  • NONE
  • CHANGED
  • REQUIRED
  • NONE
  • LOW
  • NONE

CWE-200 - Information Exposure

An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.

Advisory Timeline

  • Published