CVEFinder.io

CVE-2024-11053

ℹī¸ low
Summary

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

CVSS Score
3.4
Low
EPSS Score
1.0
Exploit Probability
Published Date
2024-12-11
First Seen: 2026-01-05
Last Modified 2025-11-03
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

🔗 References 7

https://curl.se/docs/CVE-2024-11053.html
Vendor Advisory
https://curl.se/docs/CVE-2024-11053.json
Vendor Advisory
https://hackerone.com/reports/2829063
Exploit Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/12/11/1
Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20250124-0...
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0...
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0...

đŸ“Ļ Affected Products 11

Vendor Product Status Affected Versions
haxx curl Affected
≥ 7.76.0 < 8.11.1
netapp ontap_select_deploy_administration_utility Affected
v-
netapp h610s_firmware Affected
v-
netapp h300s_firmware Affected
v-
netapp h410s_firmware Affected
v-
netapp h500s_firmware Affected
v-
netapp h700s_firmware Affected
v-
netapp h610c_firmware Affected
v-
netapp h615c_firmware Affected
v-
netapp bootstrap_os Affected
v-
netapp ontap Affected
v9

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-22050 đŸ”ļ medium 4.3 0.0 ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a ... 2026-01-12
CVE-2025-13034 đŸ”ļ medium 5.9 0.0 When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the pu... 2026-01-08
CVE-2025-14017 đŸ”ļ medium 6.3 0.0 When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadver... 2026-01-08
CVE-2025-14524 đŸ”ļ medium 5.3 0.0 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a s... 2026-01-08
CVE-2025-14819 đŸ”ļ medium 5.3 0.0 When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option... 2026-01-08
CVE-2025-15079 đŸ”ļ medium 5.3 0.0 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenl... 2026-01-08
These CVEs affect the same products