Input validation error in wget - CVE-2024-38428
Published: June 22, 2024
Vulnerability identifier: #VU93077
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-38428
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GNU
Affected software:
wget
wget
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper input validation of URL when parsing strings with semicolons within the scheme_leading_string() function in url.c. A remote attacker can pass a specially crafted URL to the application and influence its behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
How to mitigate CVE-2024-38428
Install updates from vendor's website.