vulnerability
Amazon Linux 2023: CVE-2024-11053: Medium priority package update for curl
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:C/I:N/A:N) | Dec 11, 2024 | Jan 12, 2026 | Jan 12, 2026 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:C/I:N/A:N)
Published
Dec 11, 2024
Added
Jan 12, 2026
Modified
Jan 12, 2026
Description
When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has an entry that matches
the redirect target hostname but the entry either omits just the password or
omits both login and password.
A vulnerability was found in libcurl. When .netrc is used to follow with HTTP redirects, curl could leak the password used for the first host to the followed-to host under some circumstances. For example: A curl transfer with `a.com` that redirects to `b.com` that uses a `.netrc` with a match but no password specified for the second host would make curl pass on `alicespassword` as the password even in the second transfer to the separate host `b.com`.
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has an entry that matches
the redirect target hostname but the entry either omits just the password or
omits both login and password.
A vulnerability was found in libcurl. When .netrc is used to follow with HTTP redirects, curl could leak the password used for the first host to the followed-to host under some circumstances. For example: A curl transfer with `a.com` that redirects to `b.com` that uses a `.netrc` with a match but no password specified for the second host would make curl pass on `alicespassword` as the password even in the second transfer to the separate host `b.com`.
Solutions
amazon-linux-2023-upgrade-curlamazon-linux-2023-upgrade-curl-debuginfoamazon-linux-2023-upgrade-curl-debugsourceamazon-linux-2023-upgrade-curl-minimalamazon-linux-2023-upgrade-curl-minimal-debuginfoamazon-linux-2023-upgrade-libcurlamazon-linux-2023-upgrade-libcurl-debuginfoamazon-linux-2023-upgrade-libcurl-develamazon-linux-2023-upgrade-libcurl-minimalamazon-linux-2023-upgrade-libcurl-minimal-debuginfo
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.