CVEFinder.io

CVE-2024-11053

ℹī¸ low
🔍 Scan for this CVE
Summary

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

CVSS Score
3.4
Low
EPSS Score
1.0
Exploit Probability
Published Date
2024-12-11
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 2.8% of all 329,456 vulnerabilities in our database.

#320,235
Below average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Dec 15, 2024
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Partial
Limited system impact
🏆 Discovered By
Harry Sintonen Daniel Stenberg (remediation developer)
SSVC data provided by CISA
Last Modified 2025-11-03
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

đŸ“Ļ Affected Products 11

Vendor Product Status Affected Versions
haxx curl Affected
≥ 7.76.0 < 8.11.1
netapp ontap_select_deploy_administration_utility Affected
v-
netapp h610s_firmware Affected
v-
netapp h300s_firmware Affected
v-
netapp h410s_firmware Affected
v-
netapp h500s_firmware Affected
v-
netapp h700s_firmware Affected
v-
netapp h610c_firmware Affected
v-
netapp h615c_firmware Affected
v-
netapp bootstrap_os Affected
v-
netapp ontap Affected
v9

🔗 References 7

https://curl.se/docs/CVE-2024-11053.html
Vendor Advisory
https://curl.se/docs/CVE-2024-11053.json
Vendor Advisory
https://hackerone.com/reports/2829063
Exploit Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/12/11/1
Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20250124-0...
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0...
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0...

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-4873 đŸ”ļ medium 5.9 0.0 A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the s... 2026-05-13
CVE-2026-6253 đŸ”ļ medium 5.9 0.0 curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following cond... 2026-05-13
CVE-2026-6276 ⚠ī¸ high 7.5 0.0 Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done u... 2026-05-13
CVE-2026-6429 đŸ”ļ medium 5.3 0.0 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password use... 2026-05-13
CVE-2026-7009 đŸ”ļ medium 5.3 0.0 When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify t... 2026-05-13
CVE-2026-7168 đŸ”ļ medium 5.3 0.1 Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and the... 2026-05-13
These CVEs affect the same products