Curl Vulnerability Let Attackers Access Sensitive Information

   December 15, 2024  Posted in CyberSecurityNews


A critical security flaw has been discovered in the popular data transfer tool Curl, potentially allowing attackers to access sensitive information.

The vulnerability, identified as CVE-2024-11053, affects curl versions 6.5 through 8.11.0 and could lead to the exposure of passwords to unauthorized parties.

The security issue arises when curl is configured to use both a .netrc file for credentials and follow HTTP redirects. Under specific circumstances, curl could leak the password used for the initial host to the redirected host. This vulnerability occurs when:

  1. The .netrc file contains an entry matching the redirect target hostname
  2. The entry either omits the password or both the login and password

For example, if a curl transfer to a.tld redirects to b.tld, and the .netrc file has an entry for b.tld without a password, curl would erroneously pass the password from a.tld to b.tld.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The curl project has classified this vulnerability as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Despite its potential for credential leakage, the severity of the flaw is rated as Low. The vulnerability affects not only the libcurl library but also the curl command-line tool, which is widely used in various applications.

Solution and Recommendations

The curl project released version 8.11.1 on December 11, 2024, which addresses this security issue. Users are strongly advised to take one of the following actions:

  1. Upgrade curl and libcurl to version 8.11.1 (most preferred)
  2. Apply the patch to the current version and rebuild
  3. Avoid using .netrc files in combination with redirects

The vulnerability was reported to the curl project on November 8, 2024. After thoroughly investigating and fixing development, the curling team contacted distros@openwall on December 3, 2024.

The official release of curl 8.11.1, along with this security advisory, was coordinated for December 11, 2024, at approximately 06:00 UTC.

Users and administrators must review their curl configurations and update to the latest version to mitigate this vulnerability.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link