When asking curl to use a .netrc file to find credentials and at the same
time specifying a URL with a username(without a password), like
https://user@example.com/, curl could wrongly get and use the password for
another user set in the .netrc file for that host if such a one exists and
there is no match for the specified user.
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Curl | Haxx | 8.11.1 (including) | 8.21.0 (excluding) |
| Red Hat Hardened Images | RedHat | rust-main-1.96.1-1.hum1 | * |
| Curl | Ubuntu | devel | * |
| Curl | Ubuntu | questing | * |
| Curl | Ubuntu | resolute | * |
| Curl | Ubuntu | upstream | * |