Description
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
- Attack Vector
- network
- Complexity
- high
- Privileges
- none
- User Action
- required
- Scope
- changed
- Confidentiality
- low
- Integrity
- none
- Availability
- none
- Weaknesses
- NVD-CWE-noinfo
Metadata
- Primary Vendor
- HAXX
- Published
- 12/11/2024
- Last Modified
- 11/3/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
haxx : curlnetapp : ontapnetapp : ontap_select_deploy_administration_utilitynetapp : h610c_firmwarenetapp : h610s_firmwarenetapp : h615c_firmwarenetapp : h700s_firmwarenetapp : bootstrap_osnetapp : h300s_firmwarenetapp : h410s_firmwarenetapp : h500s_firmware
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.