Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-11053

Опубликовано: 11 дек. 2024
Источник: redhat
CVSS3: 5.9
EPSS Низкий

Описание

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

A flaw was found in curl. A logic error when processing credentials from the .netrc file while performing redirects allows the transfer of credentials from the original host to the followed-to host under certain circumstances, leaking the credentials to the followed-to host.

Отчет

This issue only affects curl when a .netrc file is used and a redirect is performed. Additionally, the .netrc must match the target hostname but the followed-to host does not have a password or both login and password configured. Example of a vulnerable .netrc configuration:

machine a.com login alice password alicespassword default login bob

Меры по смягчению последствий

Avoid using the .netrc file together with redirects.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10curlFix deferred
Red Hat Enterprise Linux 10mysql8.4Affected
Red Hat Enterprise Linux 6curlOut of support scope
Red Hat Enterprise Linux 6mysqlNot affected
Red Hat Enterprise Linux 7curlOut of support scope
Red Hat Enterprise Linux 8curlFix deferred
Red Hat Enterprise Linux 9curlFix deferred
Red Hat JBoss Core ServicescurlFix deferred
Red Hat OpenShift Container Platform 4rhcosFix deferred
Red Hat Enterprise Linux 8mysqlFixedRHSA-2025:167319.02.2025

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2331191curl: curl netrc password leak

EPSS

Процентиль: 36%
0.00145
Низкий

5.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-11053

CVSS3: 3.4
ubuntu
6 месяцев назад

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

nvd логотип

CVE-2024-11053

CVSS3: 3.4
nvd
6 месяцев назад

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

msrc логотип

CVE-2024-11053

CVSS3: 3.4
msrc
5 месяцев назад

Описание отсутствует

debian логотип

CVE-2024-11053

CVSS3: 3.4
debian
6 месяцев назад

When asked to both use a `.netrc` file for credentials and to follow H ...

suse-cvrf логотип

SUSE-SU-2024:4359-1

suse-cvrf
6 месяцев назад

Security update for curl

EPSS

Процентиль: 36%
0.00145
Низкий

5.9 Medium

CVSS3