Main Vulnerability Database Vulnerabilities #VU101654

#VU101654 Information disclosure in cURL - CVE-2024-11053

Published: December 11, 2024

Vulnerability identifier: #VU101654

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-11053

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
cURL

Software vendor:
curl.haxx.se

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when using a .netrc file for credentials and an instruction to follow HTTP redirects. The cURL library can leak credentials intended for the first URL prior to redirection. This however will only occur if the .netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Remediation

Install updates from vendor's website.

External links

https://curl.haxx.se/docs/CVE-2024-11053.html

#VU101654 Information disclosure in cURL - CVE-2024-11053

Description

Remediation

External links

Please verify you're human