https://cve.circl.lu/comments/feed Most recent comment. 2025-03-02T17:32:19.472294+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent comments. https://cve.circl.lu/comment/36846c73-0c66-4bdf-b5f9-3a3b65823062 netrc and redirect credential leak 2025-03-02T17:32:19.479376+00:00 Cédric Bonhomme http://cve.circl.lu/user/cedric When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. ### Info > "A curl transfer with a.tld that redirects to b.tld that uses a .netrc like below (with a match, but no password specified for the second host), would make curl pass on alicespassword as password even in the second transfer to the separate host b.tld. > > machine a.tld > login alice > password alicespassword > default > login bob > > This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C. > > This flaw also affects the curl command line tool. > > The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-11053 to this issue. > > CWE-200: Exposure of Sensitive Information to an Unauthorized Actor > > Severity: Low" 2024-12-11T09:52:06.061616+00:00 https://cve.circl.lu/comment/d5063906-100a-4bf2-9ef4-94173879f4e1 CVE-2024-11053 is *not* a critical security flaw 2025-03-02T17:32:19.477120+00:00 Alexandre Dulaunoy http://cve.circl.lu/user/adulau Clarification by the author/maintainer of the project: [https://mastodon.social/@bagder/113657205050547339](https://mastodon.social/@bagder/113657205050547339) ~~~ FYI: CVE-2024-11053 is *not* a critical security flaw, even if now several security related sites repeat that statement. This is as good as any reminder that you should read the #curl advisories for #curl issues rather than trusting the scaremongers. ~~~ [https://curl.se/docs/CVE-2024-11053.html](https://curl.se/docs/CVE-2024-11053.html) 2024-12-15T15:17:59.506935+00:00