CVE-2024-11053: 
MySQL vulnerability analysis and mitigation

CVE-2024-11053 is a vulnerability in curl discovered in December 2024 that affects versions 7.76.0 to 8.11.0. The vulnerability occurs when curl is configured to both use a .netrc file for credentials and follow HTTP redirects, potentially leading to password leakage from the first host to the redirected host (Curl Advisory, OSS Security).

The vulnerability manifests when a curl transfer with credentials stored in a .netrc file performs a redirect, and the .netrc file contains an entry for the redirect target hostname but either omits the password or both login and password fields. In such cases, curl incorrectly passes the password intended for the initial host to the second host during the redirect. The vulnerability has been assigned CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and received a CVSS score of 3.4 (Low) (Curl Advisory, Security Online).

The vulnerability could lead to unauthorized disclosure of sensitive credentials to third-party servers during HTTP redirects. When exploited, the password intended for the initial host could be exposed to the redirect target host, potentially compromising user security (Curl Advisory).

The vulnerability has been fixed in curl version 8.11.1. Users are recommended to either upgrade to version 8.11.1 or later, apply the provided patch to their current version, or avoid using netrc together with redirects as a temporary workaround (Curl Advisory).

The vulnerability was initially reported by Harry Sintonen on November 8, 2024, and was patched by Daniel Stenberg. The fix was released on December 11, 2024, coordinated with the publication of the security advisory. CISA has assessed the vulnerability and adjusted its CVSS score from 9.1 down to 3.4, indicating a lower severity than initially thought (Security Online).