https://cve.circl.lu/comments/feedMost recent comment.2025-03-02T17:32:19.472294+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent comments.https://cve.circl.lu/comment/36846c73-0c66-4bdf-b5f9-3a3b65823062netrc and redirect credential leak2025-03-02T17:32:19.479376+00:00Cédric Bonhommehttp://cve.circl.lu/user/cedricWhen asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
### Info
> "A curl transfer with a.tld that redirects to b.tld that uses a .netrc like below (with a match, but no password specified for the second host), would make curl pass on alicespassword as password even in the second transfer to the separate host b.tld.
>
> machine a.tld
> login alice
> password alicespassword
> default
> login bob
>
> This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.
>
> This flaw also affects the curl command line tool.
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-11053 to this issue.
>
> CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
>
> Severity: Low"
2024-12-11T09:52:06.061616+00:00https://cve.circl.lu/comment/d5063906-100a-4bf2-9ef4-94173879f4e1CVE-2024-11053 is *not* a critical security flaw2025-03-02T17:32:19.477120+00:00Alexandre Dulaunoyhttp://cve.circl.lu/user/adulauClarification by the author/maintainer of the project:
[https://mastodon.social/@bagder/113657205050547339](https://mastodon.social/@bagder/113657205050547339)
~~~
FYI: CVE-2024-11053 is *not* a critical security flaw, even if now several security related sites repeat that statement.
This is as good as any reminder that you should read the #curl advisories for #curl issues rather than trusting the scaremongers.
~~~
[https://curl.se/docs/CVE-2024-11053.html](https://curl.se/docs/CVE-2024-11053.html)2024-12-15T15:17:59.506935+00:00