CVE-2024-11053

NameCVE-2024-11053
DescriptionWhen asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1089682

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)jessie, jessie (lts)7.38.0-4+deb8u28vulnerable
stretch (security)7.52.1-5+deb9u16vulnerable
stretch (lts), stretch7.52.1-5+deb9u22vulnerable
buster, buster (lts)7.64.0-4+deb10u10vulnerable
buster (security)7.64.0-4+deb10u9vulnerable
bullseye7.74.0-1.3+deb11u13vulnerable
bullseye (security)7.74.0-1.3+deb11u14vulnerable
bookworm7.88.1-10+deb12u8vulnerable
bookworm (security)7.88.1-10+deb12u5vulnerable
sid, trixie8.11.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsource(unstable)8.11.1-11089682

Notes

[bookworm] - curl <no-dsa> (Minor issue)
[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
https://curl.se/docs/CVE-2024-11053.html
Introduced by: https://github.com/curl/curl/commit/ae1912cb0d494b48d514d937826c9fe83ec96c4d (curl-6_5)
Fixed by: https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949 (curl-8_11_1)
[buster] - curl <postponed> (Minor issue; can be fixed in next update)
[stretch] - curl <postponed> (Minor issue; can be fixed in next update)
[jessie] - curl <postponed> (Minor issue; can be fixed in next update)

Search for package or bug name: Reporting problems