Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-11053
Summary
When asked to both use a ".netrc" file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the "netrc" file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. This issue affects curl 6.5 through 8.11.0.
- HIGH
- NETWORK
- NONE
- CHANGED
- REQUIRED
- NONE
- LOW
- NONE
CWE-200 - Information Exposure
An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.
References
Advisory Timeline
- Published