A critical security flaw has been discovered in the popular data transfer tool Curl, potentially allowing attackers to access sensitive information.The vulnerability, identified as CVE-2024-11053, affects curl versions 6.5 through 8.11.0 and could lead to the exposure of [passwords](https://cybersecuritynews.com/900-websites-10m-passwords-plaintext-exposed/) to unauthorized parties.The security issue arises when curl is configured to use both a .netrc file for credentials and follow HTTP redirects. Under specific circumstances, curl could leak the password used for the initial host to the redirected host. This vulnerability occurs when:1. The .netrc file contains an entry matching the redirect target hostname2. The entry either omits the password or both the login and passwordFor example, if a curl transfer to a.tld redirects to b.tld, and the .netrc file has an entry for b.tld without a password, curl would erroneously pass the password from a.tld to b.tld.**Free Webinar on Best Practices for API vulnerability -& Penetration Testing: [Free Registration](https://webinars.indusface.com/72-hours-to-audit-ready-api-security-a-proven-framework/register?utm_source=gbhackers-side-banner&utm_campaign=2024-dec-webinar-api-security&utm_medium=referral)**The curl project has classified this vulnerability as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.Despite its potential for credential leakage, the severity of the flaw is rated as Low. The vulnerability affects not only the [libcurl](https://cybersecuritynews.com/trellix-enterprise-security-manager-flaw/) library but also the curl command-line tool, which is widely used in various applications.Solution and Recommendations—————————-The curl project [released](https://curl.se/docs/vuln-8.11.1.html) version 8.11.1 on December 11, 2024, which addresses this security issue. Users are strongly advised to take one of the following actions:1. Upgrade curl and libcurl to version 8.11.1 (most preferred)2. Apply the patch to the current version and rebuild3. Avoid using .netrc files in combination with redirectsThe vulnerability was reported to the curl project on November 8, 2024. After thoroughly investigating and fixing development, the curling team contacted distros@openwall on December 3, 2024.The official release of curl 8.11.1, along with this security advisory, was coordinated for December 11, 2024, at approximately 06:00 UTC.Users and administrators must review their curl configurations and update to the latest version to mitigate this vulnerability.****Investigate Real-World Malicious Links, Malware -& Phishing Attacks With ANY.RUN — [Try for Free](https://app.any.run/?utm_source=csn&utm_medium=article&utm_campaign=nova_malware_analysis&utm_content=register&utm_term=121224)****The post [Curl Vulnerability Let Attackers Access Sensitive Information](https://cybersecuritynews.com/curl-vulnerability-attackers-sensitive-information/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 335 – Electrical Equipment
Appliance
Component Manufacturing
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Blog: Cybersecurity News
Phishing
Exploitation for Client Execution
Associated Indicators: