CVE-2024-11053: netrc and redirect credential leak

curl · Dec 11, 2024 · 5734f84 · 5734f84
1 parent 01894a3
commit 5734f84
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 1 deletion.
diff --git a/docs/CVE-2024-11053.md b/docs/CVE-2024-11053.md
@@ -0,0 +1,90 @@
+netrc and redirect credential leak
+==================================
+
+Project curl Security Advisory, December 11th 2024 -
+[Permalink](https://curl.se/docs/CVE-2024-11053.html)
+
+VULNERABILITY
+-------------
+
+When asked to both use a `.netrc` file for credentials and to follow HTTP
+redirects, curl could leak the password used for the first host to the
+followed-to host under certain circumstances.
+
+This flaw only manifests itself if the netrc file has an entry that matches
+the redirect target hostname but the entry either omits just the password or
+omits both login and password.
+
+INFO
+----
+
+A curl transfer with `a.tld` that redirects to `b.tld` that uses a `.netrc`
+like below (with a match, but no password specified for the second host),
+would make curl pass on `alicespassword` as password even in the second
+transfer to the separate host `b.tld`.
+
+~~~
+machine a.tld
+  login alice
+  password alicespassword
+
+default
+  login bob
+~~~
+
+This bug is **not** considered a *C mistake*. It is not likely to have been
+avoided had we not been using C.
+
+This flaw also affects the curl command line tool.
+
+The Common Vulnerabilities and Exposures (CVE) project has assigned the name
+CVE-2024-11053 to this issue.
+
+CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
+
+Severity: Low
+
+AFFECTED VERSIONS
+-----------------
+
+- Affected versions: curl 6.5 to and including 8.11.0
+- Not affected versions: curl < 6.5 and >= 8.11.1
+- Introduced-in: https://github.com/curl/curl/commit/ae1912cb0d494b48d514
+
+libcurl is used by many applications, but not always advertised as such!
+
+SOLUTION
+------------
+
+- Fixed-in: https://github.com/curl/curl/commit/e9b9bbac22c26cf6731
+
+The fix also addresses a few other .netrc related issues.
+
+RECOMMENDATIONS
+---------------
+
+We suggest you take one of the following actions immediately, in order of
+preference:
+
+ A - Upgrade curl and libcurl to version 8.11.1
+
+ B - Apply the patch to your version and rebuild
+
+ C - Avoid using netrc together with redirects
+
+TIMELINE
+---------
+
+This issue was reported to the curl project on November 8, 2024. We contacted
+distros@openwall on December 3, 2024.
+
+curl 8.11.1 was released on December 11 2024 around 06:00 UTC, coordinated
+with the publication of this advisory.
+
+CREDITS
+-------
+
+- Reported-by: Harry Sintonen
+- Patched-by: Daniel Stenberg
+
+Thanks a lot!
diff --git a/docs/Makefile b/docs/Makefile
@@ -179,7 +179,8 @@ CVELIST = \
  CVE-2024-6874.html \
  CVE-2024-7264.html \
  CVE-2024-8096.html \
- CVE-2024-9681.html
+ CVE-2024-9681.html \
+ CVE-2024-11053.html
 
 PAGES = \
  $(CVELIST) \

diff --git a/docs/vuln.pm b/docs/vuln.pm
@@ -16,6 +16,7 @@
 #
 # List of CWEs => https://cwe.mitre.org/data/definitions/658.html
 @vuln = (
+    "CVE-2024-11053.html|6.5|8.11.0|netrc and redirect credential leak|CVE-2024-11053|20241211|20241108|CWE-200: Exposure of Sensitive Information to an Unauthorized Actor|540|netrc|-|both|low|https://hackerone.com/reports/2829063",
     "CVE-2024-9681.html|7.74.0|8.10.1|HSTS subdomain overwrites parent cache entry|CVE-2024-9681|20241105|20241007|CWE-1025: Comparison Using Wrong Factors|540|HSTS|-|both|low|https://hackerone.com/reports/2764830",
     "CVE-2024-8096.html|7.41.0|8.9.1|OCSP stapling bypass with GnuTLS|CVE-2024-8096|20240911|20240819|CWE-295: Improper Certificate Validation|2540|TLS|-|both|medium|https://hackerone.com/reports/2669852",
     "CVE-2024-7264.html|7.32.0|8.9.0|ASN.1 date parser overread|CVE-2024-7264|20240731|20240730|CWE-125: Out-of-bounds Read|540|ASN1|OVERREAD|both|low|https://hackerone.com/reports/2629968",