{"id":34215,"date":"2024-06-18T08:26:57","date_gmt":"2024-06-18T06:26:57","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=34215"},"modified":"2025-06-07T15:32:47","modified_gmt":"2025-06-07T13:32:47","slug":"critical-vulnerability-cve-2024-38428-in-wget","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/06\/18\/critical-vulnerability-cve-2024-38428-in-wget\/","title":{"rendered":"Critical vulnerability CVE-2024-38428 in wget"},"content":{"rendered":"

\"Sicherheit[German<\/a>]There is a critical vulnerability in the command line program wget, which has a CVSS Base Score of 10.0. CERT-Bund warns of the vulnerability, which is contained in wget versions <=1.24.5. An attacker can carry out an unspecified attack. Anyone using wget under Linux or Windows should take urgent action and stop using the program. Because there is no updated version yet.<\/p>\n

<\/p>\n

What is wget?<\/h2>\n

\"\"wget<\/a> is a free command line program from the GNU project for downloading files from the Internet. The supported protocols include ftp, http and https. The program is available for Unix, GNU\/Linux, OS\/2, Windows and SkyOS, among others. It is licensed under the GNU General Public License and can be downloaded from the Wget page<\/a>.<\/p>\n

Critical\u00a0wget\u00a0vulnerability CVE-2024-38428<\/h2>\n

German blog reader Bernie pointed out within the discussion area of my blog, that there is a warning from German CERT-Bund<\/a>, dated June 17, 2024, about wget (thanks for that). A vulnerability has been discovered that is rated as critical and has a CVSS base score of 10.0.<\/p>\n

<\/p>\n

The vulnerability affects the open source versions of wget versions up to and including version 1.24.5 (which is the current version). The CERT-Bund only states that an anonymous remote attacker can exploit the vulnerability in wget to carry out an unspecified attack. This vulnerability warning is available on GitHub<\/a>.<\/p>\n

Details on the vulnerability CVE-2024-3842<\/h2>\n

CVE-2024-38428<\/a> reports that the url.c module in GNU Wget up to 1.24.5 incorrectly handles semicolons in the userinfo subcomponent of a URI. This can lead to unsafe behavior where data that should be in the userinfo subcomponent is incorrectly interpreted as part of the host subcomponent. Tim R\u00fcbsen discusses the details of this bug discovered since June 2, 2024 on the gnu.org list in the post Re: Semicolon not allowed in userinfo<\/a>.<\/p>\n

Manipulated URLs could reveal authentication details and sensitive information. There is also a risk of manipulation. Norddeutsch summarized it like this in a comment: The linked discussions git here, esp. gnu.org address concrete possible abuse:<\/p>\n