FYI: CVE-2024-11053 is *not* a critical security flaw, even if now several security related sites repeat that statement.
This is as good as any reminder that you should read the #curl advisories for #curl issues rather than trusting the scaremongers.
https://curl.se/docs/CVE-2024-11053.html
(edit: I wrote an extra '1' in there at first)
1. read my description
2. check out these two in CISA's CVSS assessment:
"attackComplexity": "LOW",
"attackVector": "NETWORK",
3. then please educate me how "the attack" is done here. I must be missing something.
I would understand this as saying "there are legitimate configurations which cause curl to reveal the password to a third party". If such a configuration exists, the third party can trivially get the password next time a request that triggers the bug is made.
Is there a separate field there for "likelihood of prerequisites"? (e.g. if we had a hypothetical vulnerability that gave RCE to anyone on the network but only if the timezone of the victim was set to Antarctic, how should that be assessed?)
