github - ghsa-h288-5fq8-5pfw

ghsa-h288-5fq8-5pfw

Vulnerability from github

Published

2024-12-11 09:32

Modified

2025-01-31 15:30

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-11053"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-11T08:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password.",
  "id": "GHSA-h288-5fq8-5pfw",
  "modified": "2025-01-31T15:30:43Z",
  "published": "2024-12-11T09:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11053"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2829063"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2024-11053.html"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2024-11053.json"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250124-0012"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250131-0003"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/12/11/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-11053 (GCVE-0-2024-11053)

Vulnerability from cvelistv5

Published

2024-12-11 07:34

Modified

2025-01-31 15:02

Severity ?

3.4 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

CWE

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Summary

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

References

URL

Tags

	https://curl.se/docs/CVE-2024-11053.json
	https://curl.se/docs/CVE-2024-11053.html
	https://hackerone.com/reports/2829063

Impacted products

	Vendor	Product	Version
	curl	curl	Version: 8.11.0 ≤ 8.11.0 Version: 8.10.1 ≤ 8.10.1 Version: 8.10.0 ≤ 8.10.0 Version: 8.9.1 ≤ 8.9.1 Version: 8.9.0 ≤ 8.9.0 Version: 8.8.0 ≤ 8.8.0 Version: 8.7.1 ≤ 8.7.1 Version: 8.7.0 ≤ 8.7.0 Version: 8.6.0 ≤ 8.6.0 Version: 8.5.0 ≤ 8.5.0 Version: 8.4.0 ≤ 8.4.0 Version: 8.3.0 ≤ 8.3.0 Version: 8.2.1 ≤ 8.2.1 Version: 8.2.0 ≤ 8.2.0 Version: 8.1.2 ≤ 8.1.2 Version: 8.1.1 ≤ 8.1.1 Version: 8.1.0 ≤ 8.1.0 Version: 8.0.1 ≤ 8.0.1 Version: 8.0.0 ≤ 8.0.0 Version: 7.88.1 ≤ 7.88.1 Version: 7.88.0 ≤ 7.88.0 Version: 7.87.0 ≤ 7.87.0 Version: 7.86.0 ≤ 7.86.0 Version: 7.85.0 ≤ 7.85.0 Version: 7.84.0 ≤ 7.84.0 Version: 7.83.1 ≤ 7.83.1 Version: 7.83.0 ≤ 7.83.0 Version: 7.82.0 ≤ 7.82.0 Version: 7.81.0 ≤ 7.81.0 Version: 7.80.0 ≤ 7.80.0 Version: 7.79.1 ≤ 7.79.1 Version: 7.79.0 ≤ 7.79.0 Version: 7.78.0 ≤ 7.78.0 Version: 7.77.0 ≤ 7.77.0 Version: 7.76.1 ≤ 7.76.1 Version: 7.76.0 ≤ 7.76.0 Version: 7.75.0 ≤ 7.75.0 Version: 7.74.0 ≤ 7.74.0 Version: 7.73.0 ≤ 7.73.0 Version: 7.72.0 ≤ 7.72.0 Version: 7.71.1 ≤ 7.71.1 Version: 7.71.0 ≤ 7.71.0 Version: 7.70.0 ≤ 7.70.0 Version: 7.69.1 ≤ 7.69.1 Version: 7.69.0 ≤ 7.69.0 Version: 7.68.0 ≤ 7.68.0 Version: 7.67.0 ≤ 7.67.0 Version: 7.66.0 ≤ 7.66.0 Version: 7.65.3 ≤ 7.65.3 Version: 7.65.2 ≤ 7.65.2 Version: 7.65.1 ≤ 7.65.1 Version: 7.65.0 ≤ 7.65.0 Version: 7.64.1 ≤ 7.64.1 Version: 7.64.0 ≤ 7.64.0 Version: 7.63.0 ≤ 7.63.0 Version: 7.62.0 ≤ 7.62.0 Version: 7.61.1 ≤ 7.61.1 Version: 7.61.0 ≤ 7.61.0 Version: 7.60.0 ≤ 7.60.0 Version: 7.59.0 ≤ 7.59.0 Version: 7.58.0 ≤ 7.58.0 Version: 7.57.0 ≤ 7.57.0 Version: 7.56.1 ≤ 7.56.1 Version: 7.56.0 ≤ 7.56.0 Version: 7.55.1 ≤ 7.55.1 Version: 7.55.0 ≤ 7.55.0 Version: 7.54.1 ≤ 7.54.1 Version: 7.54.0 ≤ 7.54.0 Version: 7.53.1 ≤ 7.53.1 Version: 7.53.0 ≤ 7.53.0 Version: 7.52.1 ≤ 7.52.1 Version: 7.52.0 ≤ 7.52.0 Version: 7.51.0 ≤ 7.51.0 Version: 7.50.3 ≤ 7.50.3 Version: 7.50.2 ≤ 7.50.2 Version: 7.50.1 ≤ 7.50.1 Version: 7.50.0 ≤ 7.50.0 Version: 7.49.1 ≤ 7.49.1 Version: 7.49.0 ≤ 7.49.0 Version: 7.48.0 ≤ 7.48.0 Version: 7.47.1 ≤ 7.47.1 Version: 7.47.0 ≤ 7.47.0 Version: 7.46.0 ≤ 7.46.0 Version: 7.45.0 ≤ 7.45.0 Version: 7.44.0 ≤ 7.44.0 Version: 7.43.0 ≤ 7.43.0 Version: 7.42.1 ≤ 7.42.1 Version: 7.42.0 ≤ 7.42.0 Version: 7.41.0 ≤ 7.41.0 Version: 7.40.0 ≤ 7.40.0 Version: 7.39.0 ≤ 7.39.0 Version: 7.38.0 ≤ 7.38.0 Version: 7.37.1 ≤ 7.37.1 Version: 7.37.0 ≤ 7.37.0 Version: 7.36.0 ≤ 7.36.0 Version: 7.35.0 ≤ 7.35.0 Version: 7.34.0 ≤ 7.34.0 Version: 7.33.0 ≤ 7.33.0 Version: 7.32.0 ≤ 7.32.0 Version: 7.31.0 ≤ 7.31.0 Version: 7.30.0 ≤ 7.30.0 Version: 7.29.0 ≤ 7.29.0 Version: 7.28.1 ≤ 7.28.1 Version: 7.28.0 ≤ 7.28.0 Version: 7.27.0 ≤ 7.27.0 Version: 7.26.0 ≤ 7.26.0 Version: 7.25.0 ≤ 7.25.0 Version: 7.24.0 ≤ 7.24.0 Version: 7.23.1 ≤ 7.23.1 Version: 7.23.0 ≤ 7.23.0 Version: 7.22.0 ≤ 7.22.0 Version: 7.21.7 ≤ 7.21.7 Version: 7.21.6 ≤ 7.21.6 Version: 7.21.5 ≤ 7.21.5 Version: 7.21.4 ≤ 7.21.4 Version: 7.21.3 ≤ 7.21.3 Version: 7.21.2 ≤ 7.21.2 Version: 7.21.1 ≤ 7.21.1 Version: 7.21.0 ≤ 7.21.0 Version: 7.20.1 ≤ 7.20.1 Version: 7.20.0 ≤ 7.20.0 Version: 7.19.7 ≤ 7.19.7 Version: 7.19.6 ≤ 7.19.6 Version: 7.19.5 ≤ 7.19.5 Version: 7.19.4 ≤ 7.19.4 Version: 7.19.3 ≤ 7.19.3 Version: 7.19.2 ≤ 7.19.2 Version: 7.19.1 ≤ 7.19.1 Version: 7.19.0 ≤ 7.19.0 Version: 7.18.2 ≤ 7.18.2 Version: 7.18.1 ≤ 7.18.1 Version: 7.18.0 ≤ 7.18.0 Version: 7.17.1 ≤ 7.17.1 Version: 7.17.0 ≤ 7.17.0 Version: 7.16.4 ≤ 7.16.4 Version: 7.16.3 ≤ 7.16.3 Version: 7.16.2 ≤ 7.16.2 Version: 7.16.1 ≤ 7.16.1 Version: 7.16.0 ≤ 7.16.0 Version: 7.15.5 ≤ 7.15.5 Version: 7.15.4 ≤ 7.15.4 Version: 7.15.3 ≤ 7.15.3 Version: 7.15.2 ≤ 7.15.2 Version: 7.15.1 ≤ 7.15.1 Version: 7.15.0 ≤ 7.15.0 Version: 7.14.1 ≤ 7.14.1 Version: 7.14.0 ≤ 7.14.0 Version: 7.13.2 ≤ 7.13.2 Version: 7.13.1 ≤ 7.13.1 Version: 7.13.0 ≤ 7.13.0 Version: 7.12.3 ≤ 7.12.3 Version: 7.12.2 ≤ 7.12.2 Version: 7.12.1 ≤ 7.12.1 Version: 7.12.0 ≤ 7.12.0 Version: 7.11.2 ≤ 7.11.2 Version: 7.11.1 ≤ 7.11.1 Version: 7.11.0 ≤ 7.11.0 Version: 7.10.8 ≤ 7.10.8 Version: 7.10.7 ≤ 7.10.7 Version: 7.10.6 ≤ 7.10.6 Version: 7.10.5 ≤ 7.10.5 Version: 7.10.4 ≤ 7.10.4 Version: 7.10.3 ≤ 7.10.3 Version: 7.10.2 ≤ 7.10.2 Version: 7.10.1 ≤ 7.10.1 Version: 7.10 ≤ 7.10 Version: 7.9.8 ≤ 7.9.8 Version: 7.9.7 ≤ 7.9.7 Version: 7.9.6 ≤ 7.9.6 Version: 7.9.5 ≤ 7.9.5 Version: 7.9.4 ≤ 7.9.4 Version: 7.9.3 ≤ 7.9.3 Version: 7.9.2 ≤ 7.9.2 Version: 7.9.1 ≤ 7.9.1 Version: 7.9 ≤ 7.9 Version: 7.8.1 ≤ 7.8.1 Version: 7.8 ≤ 7.8 Version: 7.7.3 ≤ 7.7.3 Version: 7.7.2 ≤ 7.7.2 Version: 7.7.1 ≤ 7.7.1 Version: 7.7 ≤ 7.7 Version: 7.6.1 ≤ 7.6.1 Version: 7.6 ≤ 7.6 Version: 7.5.2 ≤ 7.5.2 Version: 7.5.1 ≤ 7.5.1 Version: 7.5 ≤ 7.5 Version: 7.4.2 ≤ 7.4.2 Version: 7.4.1 ≤ 7.4.1 Version: 7.4 ≤ 7.4 Version: 7.3 ≤ 7.3 Version: 7.2.1 ≤ 7.2.1 Version: 7.2 ≤ 7.2 Version: 7.1.1 ≤ 7.1.1 Version: 7.1 ≤ 7.1 Version: 6.5.2 ≤ 6.5.2 Version: 6.5.1 ≤ 6.5.1 Version: 6.5 ≤ 6.5

Show details on NVD website