Apparently #CISA has rated #curl #vulnerability #CVE_2024_11053 as #CVSS v3 Base Score 9.1 "critical". This is wrong, and will lead to automation triggering unnecessary warnings and blocking use of perfectly fine systems until an update is installed (which can take months). https://nvd.nist.gov/vuln/detail/CVE-2024-11053

Edit: In case you wonder my credentials for judging this: I found this vulnerability.

Edit2: This appears to be originating from CISA: https://www.cve.org/Media/News/item/blog/2024/06/04/CISA-Added-as-CVE-Authorized-Data-Publisher

Edit3: The score has now been fixed. Commit: https://github.com/cisagov/vulnrichment/commit/91fadb2bf6b461638c8155978b9f20cf17e51fe3

data updated · cisagov/vulnrichment@91fadb2

A repo to conduct vulnerability enrichment. Contribute to cisagov/vulnrichment development by creating an account on GitHub.

^GitHub

#curl 8.11.1 has been released. It includes a fix to #CVE_2024_11053 - a #vulnerability I discovered.

It is a logic flaw in the way curl parses .netrc file. In certain situations, the configured password can be sent to a incorrect host. Luckily the affected configurations should be quite rare and thus the situation is unlikely to occur often.

The issue has existed in the curl source code for almost twenty-five years.

• https://curl.se/docs/CVE-2024-11053.html
• https://hackerone.com/reports/2829063

No AI tools were used in discovering or reporting the vulnerability.

#noai #handcrafted #infosec #cybersecurity