CVE-2024-11053: Curl Flaw Could Expose Sensitive Information

A vulnerability has been discovered in the widely used data transfer tool Curl, potentially allowing attackers to gain access to sensitive information. Tracked as CVE-2024-11053, the flaw affects Curl versions 6.5 through 8.11.0 and may result in password leakage.

The security issue arises when Curl is configured to use a .netrc file for storing credentials while performing HTTP redirects. Under certain conditions, passwords associated with the original host could be transmitted to the redirected host. This occurs if:

• The .netrc file contains an entry corresponding to the redirect target host.
• That entry lacks a password or both username and password.

For example, if Curl redirects a request from a.tld to b.tld and the .netrc file contains an entry for b.tld without a password, Curl might inadvertently send the password for a.tld to b.tld.

This vulnerability is classified as CWE-200, denoting the exposure of sensitive information to unauthorized parties. Despite the potential risks, its severity has been assessed as low. Both the libcurl library and the Curl command-line tool, extensively utilized in various applications, are affected.

The Curl project addressed this issue by releasing version 8.11.1 on December 11, 2024. Users are strongly advised to:

• Update Curl and libcurl to version 8.11.1.
• Apply the patch to their current version and rebuild it.
• Avoid using .netrc files in conjunction with HTTP redirects.

The vulnerability was reported to the Curl project on November 8, 2024. Following an in-depth analysis and resolution, the Curl team notified the distros@openwall community on December 3, 2024. The release of version 8.11.1 and the publication of the official advisory were coordinated on December 11, 2024.

Users and administrators are urged to review their Curl configurations and upgrade to the latest version to mitigate the risk of potential data leaks.