CVE-2024-11053 — LOW (3.4) — White Hats Nepal

Q: How severe is CVE-2024-11053?

CVE-2024-11053 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-11053?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Netapp Ontap, Netapp Ontap Select Deploy Administration Utility, Netapp H610C Firmware, Netapp H610C.

Vulnerability Description

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

CVSS Score

3.4

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Curl	>= 7.76.0, < 8.11.1
Netapp	Ontap	9
Netapp	Ontap Select Deploy Administration Utility	-
Netapp	H610C Firmware	-
Netapp	H610C	-
Netapp	H610S Firmware	-
Netapp	H610S	-
Netapp	H615C Firmware	-
Netapp	H615C	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H410S Firmware	-
Netapp	H410S	-
Netapp	H500S Firmware	-
Netapp	H500S	-

References

https://curl.se/docs/CVE-2024-11053.htmlVendor Advisory
https://curl.se/docs/CVE-2024-11053.jsonVendor Advisory
https://hackerone.com/reports/2829063ExploitIssue TrackingThird Party Advisory
http://www.openwall.com/lists/oss-security/2024/12/11/1Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20250124-0012/Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0003/Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0004/

FAQ

What is CVE-2024-11053?

CVE-2024-11053 is a vulnerability with a CVSS score of 3.4 (LOW). When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This fla...

How severe is CVE-2024-11053?

CVE-2024-11053 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-11053?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Netapp Ontap, Netapp Ontap Select Deploy Administration Utility, Netapp H610C Firmware, Netapp H610C.