{"id":"CURL-CVE-2024-11053","summary":"netrc and redirect credential leak","details":"When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password.","aliases":["CVE-2024-11053"],"modified":"2025-11-05T13:56:14Z","published":"2024-12-11T08:00:00Z","database_specific":{"last_affected":"8.11.0","award":{"amount":"505","currency":"USD"},"package":"curl","affects":"both","CWE":{"id":"CWE-200","desc":"Exposure of Sensitive Information to an Unauthorized Actor"},"www":"https://curl.se/docs/CVE-2024-11053.html","URL":"https://curl.se/docs/CVE-2024-11053.json","severity":"Low","issue":"https://hackerone.com/reports/2829063"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.76.0"},{"fixed":"8.11.1"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"46620b97431e19c53ce82e55055c85830f088cf4"},{"fixed":"e9b9bbac22c26cf67316fa8e6c6b9e831af31949"}]}],"versions":["8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2024-11053.json","vanir_signatures":[{"signature_type":"Function","digest":{"length":2472,"function_hash":"285823273903469814391915165331238113855"},"signature_version":"v1","id":"CURL-CVE-2024-11053-09ea3efb","target":{"function":"override_login","file":"lib/url.c"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["212475679540259253612427341751147919602","316070286574071712031422804892159775626","172595707867558602092245272494503958366","5515597790412360145148279975364442848","112602484898780047158531616989847857065","273848950808497493554961548277753504793","250025236245734490236654216144409564950","267419157018597400078014976653077576329","226908033118161122998475485214091309012","58375534632879165634244552849478415103","241442177734212412344211505659513955131","290088254368300499731432103117139671267","35817278990275342148130659999354816092","284535861622186449496108509149422784961","312059361359643448341587708320618091742","338089543908075044876358933922158216464","26300263987211900128011014139568763256","113774321053796375165517910052778004658","64955029439143167761562466926490164940","234920301200260132204461808180285853166","231690691005660723242949955560379895491","221592017353720759110650963270684242213","66516779113618437140046527592168730398","333051200875337953677037911045990720690","182928445979017646116640850322265506882","218340230464004107956799599901837966256","257151909097333246726120657678980774511","191200155237469939310075560407774257606","1293038439922184603769950643807637003","326120904920674200286344301266618027691","113774321053796375165517910052778004658","64955029439143167761562466926490164940","234920301200260132204461808180285853166","323351875711896985163600058886128408789","127177553610765635918952680577195793768","241442177734212412344211505659513955131","290088254368300499731432103117139671267","35817278990275342148130659999354816092","218340230464004107956799599901837966256","257151909097333246726120657678980774511","191200155237469939310075560407774257606","1293038439922184603769950643807637003","221596811638999884383696464011636858679","118909991967625929810927433032269172502","167798973239357238219322457088054443094","174621362557949092938570322825551393543","231690691005660723242949955560379895491","221592017353720759110650963270684242213","66516779113618437140046527592168730398","333051200875337953677037911045990720690","182928445979017646116640850322265506882","235795689787596802895923677594871596768","81745184272522747123538169107553751221","281477735145063647363822654522788479746","173366951619969649982683977049317874357","247233752197142446423945583963224563231","104586504569667897203446942376618261159","281669945698595644437262270102406659106","162098682461821994809409653183392207365","231690691005660723242949955560379895491","221592017353720759110650963270684242213","66516779113618437140046527592168730398","333051200875337953677037911045990720690","182928445979017646116640850322265506882","56345804979474238362055352953234513703","82316515023442503377749900479495622666","171270217995424147814391711267191078134","329674154350449285872905063101653424752","235160680041772171750355280663790707218","227371604719806699446960265527732526551","235367082176382978240634610719437720751","145600004680760519137621668664774635607","231690691005660723242949955560379895491","300062826411453613843079148556942133142","108313579775056425290379205072513702474","72714589773918683253646605220498409789","50670018570742778310658121459119778594","60151129493577326689397498727718693002","300062826411453613843079148556942133142","108313579775056425290379205072513702474","123144152066758044129941748179598536357","118997828272104980501264266703493934406","184637392849701310186095366276795286811","235367082176382978240634610719437720751","145600004680760519137621668664774635607","251359696919979946364045563079210948206","7813622514640757408785781809721975136","108313579775056425290379205072513702474","72714589773918683253646605220498409789","50670018570742778310658121459119778594","158519380846143551510230436165397908079"]},"signature_version":"v1","id":"CURL-CVE-2024-11053-226acfb4","target":{"file":"tests/unit/unit1304.c"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949"},{"signature_type":"Function","digest":{"length":3159,"function_hash":"201203478480787820716623313081020003338"},"signature_version":"v1","id":"CURL-CVE-2024-11053-2377ced5","target":{"function":"parsenetrc","file":"lib/netrc.c"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["273128057981381870895141465273527616887","100171474653047138978537895794272481270","137595094093845842472638125049800161235","257413363146060287578252405522080401062","215226910968509155171059000644944548227","119025104827652102998393169110625017430","89756789500450552438503087515901668493","82925719441122033515501632152836041874","324426282028911715059549428184792503621","185319140254176994703651705746950063083","160175860096740286058098722510082855800","292996584491790417072072538344081535700","239449722674074035846340907505520192357","309974997253687394347929710041054715829","245823585981030731012309285144548900914","151223071099734776999544738942114725312","67030651696561444076868024791519966907","26912509453408518916529033489083425811","170701111692929943582713325401714469907","2041959623418349609217426279822721938","213397273903554194918548191313782290481","21617674931801500876850589593146903073","90724783242593409602050754002068493996","214422907083247254618988308214324258161"]},"signature_version":"v1","id":"CURL-CVE-2024-11053-69170025","target":{"file":"lib/url.c"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949"},{"signature_type":"Function","digest":{"length":227,"function_hash":"83883397545199438522891454098020556407"},"signature_version":"v1","id":"CURL-CVE-2024-11053-94dc8319","target":{"function":"unit_setup","file":"tests/unit/unit1304.c"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["241612819622423534325448240596066106578","111397327889974961154843024775676086769","93569992433002637422102222124885892459","84204156172315740842922665703643940938","328213109549330538835914557221609739960","180125212198080723370962040297931090879","311565787860474627391290298212551700069","162045309045682678489379015441390873849","117401939028093956506578485951084820658","213910324373979756882913623476561226130","141894160291812281203137495498299853673","39120575367157536332767467226019611208","76055014083823703623273354258550518464","75154033966428586491753881111883193140","267373601200109012433488238925799412440","276577626319667774210565329137758945637","155406248171140717045502925633687972170","51612376393377177169962038974183692349","227999772579119996670887848688334797839","241036828109288775831836584227436965727","74777132886166488109238846663931146377","307994414468135698334575005520066347863","20118759641905270202877666845430198975","81137745712633374669032250454508027525","49298783546116937225656736185430174891","120783352671565299360552886261263742501","42914882290244323572459763699412307895","89648311322704822645775394373472157064","220019710397190646346858218895108623168","328824252085770345946485947062940217864","301149405252039762830934244463371605896","249751107803269942684398983439267745773","244995809674609325632499130380563726748","269856856099793665483536014653742968488","166267962492050268143861681077639815602","177212773188924150441968534032399567267","220259856520527035620310928060456047021","262547567494582946993041232254270389214","149579152916167467000465693427655264406","145589396836837317446826044046079374177","91603560304433290620900286872108993685","112179243782536447944730639882504675980","166808073356876705795804122522034062328","288068187700014760583387393338384766333","248748954725755537387278005880616497683","212686288401402926681344563306713671877","29840892708419470348652860154467991154","139919501900266425115979507948875376815","213340175991499229604341493266362850880","170638605563253917478920964163057752957","100428231478222866783617359351061346242","148935336961555541520371488541084750869","242380124213190564511584528386235066200","49762084402834969080207300103990018150","264906091167660193596416528326555378137","207437395724727213077271242747890737029","299496203543392159441943206183863153296","80938102395488709328680624443922386809","280200693949034250180986440612377357320","264514975460460512882535607203377394043","236388490898099608179003312129990368453","100690282458299211927264679624959026978","115237165177408012617077496583191190612","225491131688708140188201745123205347103","190656694115120670710830057510764676965","167075341956030455055712422252440734898","61852695694431057132478802349045126132","45002743553207628249025199830414936760","186742466746475940710256963863285550839","264671650469516789816103320976483064650","261820503761606408762224858683658037540","330859933668495699998782350309453310179","121302837183156990849155001306191905654","250620410818996823631569467358771531067","278417318836592612976995580251134336434","245782362349635736973070687426616639359","224813960687046674733745223427853988918","98897033465203303162009710396279706274","119392965194065397928972385516038369816","133936108068250915939891072765614789367","72515062628090659649121000562452227721","178578887918836125652635271656417117191","215096574127567619501248155265476498764","93561380377915133196485500888602590885","6607505613713292393081213092960891219","10060585176848009434584283254773152969","258350193968336532876103977056053643959","314363834987760583059279227647928202308","230858537292074969947798634854901589859","38476258370141851968027791623727799772","315796763271929323364338993623437805673","136722592113136996386832862542763492252","6284367716173937902893382909789388693","61222916801896571117796076152249809313","299231762418682593509935497221585778573","239684088203193554108241243353974326615","148699617553212007421872411200686682407","203183486501276299598355755114555523815","143466341150358524457284154722289500796"]},"signature_version":"v1","id":"CURL-CVE-2024-11053-dbeb0843","target":{"file":"lib/netrc.c"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949"}]}}],"schema_version":"1.7.3","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}