CVE-2024-11053
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
11/12/2024
Last modified:
03/11/2025
Description
When asked to both use a `.netrc` file for credentials and to follow HTTP<br />
redirects, curl could leak the password used for the first host to the<br />
followed-to host under certain circumstances.<br />
<br />
This flaw only manifests itself if the netrc file has an entry that matches<br />
the redirect target hostname but the entry either omits just the password or<br />
omits both login and password.
Impact
Base Score 3.x
3.40
Severity 3.x
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | 7.76.0 (including) | 8.11.1 (excluding) |
| cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:h610c_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:h610c:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:h610s_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:h610s:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:h615c_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:h615c:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://curl.se/docs/CVE-2024-11053.html
- https://curl.se/docs/CVE-2024-11053.json
- https://hackerone.com/reports/2829063
- http://www.openwall.com/lists/oss-security/2024/12/11/1
- https://security.netapp.com/advisory/ntap-20250124-0012/
- https://security.netapp.com/advisory/ntap-20250131-0003/
- https://security.netapp.com/advisory/ntap-20250131-0004/