[German]There is a critical vulnerability in the command line program wget, which has a CVSS Base Score of 10.0. CERT-Bund warns of the vulnerability, which is contained in wget versions <=1.24.5. An attacker can carry out an unspecified attack. Anyone using wget under Linux or Windows should take urgent action and stop using the program. Because there is no updated version yet.
Advertising
Was ist wget?
wget is a free command line program from the GNU project for downloading files from the Internet. The supported protocols include ftp, http and https. The program is available for Unix, GNU/Linux, OS/2, Windows and SkyOS, among others. It is licensed under the GNU General Public License and can be downloaded from the Wget page.
Critical wget vulnerability CVE-2024-38428
German blog reader Bernie pointed out within the discussion area of my blog, that there is a warning from German CERT-Bund, dated June 17, 2024, about wget (thanks for that). A vulnerability has been discovered that is rated as critical and has a CVSS base score of 10.0.
The vulnerability affects the open source versions of wget versions up to and including version 1.24.5 (which is the current version). The CERT-Bund only states that an anonymous remote attacker can exploit the vulnerability in wget to carry out an unspecified attack. This vulnerability warning is available on GitHub.
Details on the vulnerability CVE-2024-3842
CVE-2024-38428 reports that the url.c module in GNU Wget up to 1.24.5 incorrectly handles semicolons in the userinfo subcomponent of a URI. This can lead to unsafe behavior where data that should be in the userinfo subcomponent is incorrectly interpreted as part of the host subcomponent. Tim Rübsen discusses the details of this bug discovered since June 2, 2024 on the gnu.org list in the post Re: Semicolon not allowed in userinfo.
Advertising
Manipulated URLs could reveal authentication details and sensitive information. There is also a risk of manipulation. Norddeutsch summarized it like this in a comment: The linked discussions git here, esp. gnu.org address concrete possible abuse:
- Auth Details: exposure of sensitive information
- Host Header Manipulation: phishing, MitM redirect
- Data leakage. unintended exposure of credentials
As far as I have seen quickly, there is not yet a wget update that fixes this vulnerability. You should therefore refrain from using the command line command at the moment. German blog reader Nordeutsch estimates that the Linux distributions will be ready with a fixed version in a few days.