Critical vulnerability CVE-2024-38428 in wget

Sicherheit (Pexels, allgemeine Nutzung)[German]There is a critical vulnerability in the command line program wget, which has a CVSS Base Score of 10.0. CERT-Bund warns of the vulnerability, which is contained in wget versions <=1.24.5. An attacker can carry out an unspecified attack. Anyone using wget under Linux or Windows should take urgent action and stop using the program. Because there is no updated version yet.


Advertising

Was ist wget?

wget is a free command line program from the GNU project for downloading files from the Internet. The supported protocols include ftp, http and https. The program is available for Unix, GNU/Linux, OS/2, Windows and SkyOS, among others. It is licensed under the GNU General Public License and can be downloaded from the Wget page.

Critical wget vulnerability CVE-2024-38428

German blog reader Bernie pointed out within the discussion area of my blog, that there is a warning from German CERT-Bund, dated June 17, 2024, about wget (thanks for that). A vulnerability has been discovered that is rated as critical and has a CVSS base score of 10.0.

The vulnerability affects the open source versions of wget versions up to and including version 1.24.5 (which is the current version). The CERT-Bund only states that an anonymous remote attacker can exploit the vulnerability in wget to carry out an unspecified attack. This vulnerability warning is available on GitHub.

Details on the vulnerability CVE-2024-3842

CVE-2024-38428 reports that the url.c module in GNU Wget up to 1.24.5 incorrectly handles semicolons in the userinfo subcomponent of a URI. This can lead to unsafe behavior where data that should be in the userinfo subcomponent is incorrectly interpreted as part of the host subcomponent. Tim Rübsen discusses the details of this bug discovered since June 2, 2024 on the gnu.org list in the post Re: Semicolon not allowed in userinfo.


Advertising

Manipulated URLs could reveal authentication details and sensitive information. There is also a risk of manipulation. Norddeutsch summarized it like this in a comment: The linked discussions git here, esp. gnu.org address concrete possible abuse:

  • Auth Details: exposure of sensitive information
  • Host Header Manipulation: phishing, MitM redirect
  • Data leakage. unintended exposure of credentials

As far as I have seen quickly, there is not yet a wget update that fixes this vulnerability. You should therefore refrain from using the command line command at the moment. German blog reader Nordeutsch estimates that the Linux distributions will be ready with a fixed version in a few days.

This entry was posted in Allgemein. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).