CVE-2024-11053
Publication date 11 December 2024
Last updated 30 May 2025
Ubuntu priority
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
Why is this CVE low priority?
curl developers have rated this issue as low severity
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| curl | 25.04 plucky |
Fixed 8.11.1-1ubuntu1
|
| 24.10 oracular |
Fixed 8.9.1-2ubuntu2.2
|
|
| 24.04 LTS noble |
Fixed 8.5.0-2ubuntu10.6
|
|
| 22.04 LTS jammy |
Fixed 7.81.0-1ubuntu1.20
|
|
| 20.04 LTS focal |
Fixed 7.68.0-1ubuntu2.25
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.4 · Low
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-7162-1
- curl vulnerability
- 16 December 2024