Curl Vulnerability Let Attackers Access Sensitive Information
A critical security flaw has been discovered in the popular data transfer tool Curl, potentially allowing attackers to access sensitive information.
The vulnerability, identified as CVE-2024-11053, affects curl versions 6.5 through 8.11.0 and could lead to the exposure of passwords to unauthorized parties.
The security issue arises when curl is configured to use both a .netrc file for credentials and follow HTTP redirects. Under specific circumstances, curl could leak the password used for the initial host to the redirected host. This vulnerability occurs when:
For example, if a curl transfer to a.tld redirects to b.tld, and the .netrc file has an entry for b.tld without a password, curl would erroneously pass the password from a.tld to b.tld.
Read More at cybersecuritynews.com
CISA | Security +| Network +l CISM| AWS
1wInsightful
Research Scholar
1w"Timely disclosure and clear mitigation steps by the Curl team demonstrate excellent handling of this vulnerability—commendable work!"
--
1w✍🇨🇦💬
--Network Engineering/Administration
1wVery informative and Insightful
--
1wPLEASE ASSIST AND PASS THIS MESSAGE OF CONCERN TO THE ATTOURNEY GENERAL DOUG MOYLAN ON GUAM WHO HAS BLOCKED ME FROM SEEKING ASSISTANCE FROM HIS LOCAL ELECTED GOV GUAM AGENCY TO STOP COVERING AND PROTECTING HIS ASSOCIATE FROM APT 23 OCEAN BLUE APARTMENTS YPAO ROAD TAMUNING GUAM 96913 WHO HE AND OTHER LOCAL GOV GUAM OFFICIALS ENABLED HIS CRYSTALMETH DISTRIBUTION GANGSTALKING ORGANIZED CRIMINALS ACCESS TO IDENTITY THEFT ME AND COMMIT FRAUD IN MY NAME FOR ONE YEAR FOUR MONTHS I REPORTED JUNE 2023 TUMON POLICE DEPARTMENT THANK YOU FOR HELPING IS IT COMMON PRACTICE IN 2024 FOR THE LOCAL LAW ENFORCEMENT AFFILIATE LAW ENFORCEMENT SPECIAL UNIT TO BE IN CONTROLL OF THE TERRITORY AND SALES AND DISTRIBUTION OF THE DRUG TRAFFICKING THAT USED TO BE OF MOM AND POP OR THE PASSING BY SYNDICATE OR CARTEL OF THE AREA AS OT IS ON THE UNITED STATES TERRITORY OF GUAM. WHO CONTROLS THE PROFIT AND WHAT GOV PROGRAMS DOES IT FUND. THE SAME KINGPIN I REPORTED LAST JUNE 2023 IS THE ONE IN CHARGE...