#VU103688 Information disclosure in wget - CVE-2021-31879

Cybersecurity Help s.r.o.

Published: 2025-02-06

Vulnerability identifier: #VU103688

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-31879

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
wget
Server applications / File servers (FTP/HTTP)

Vendor: GNU

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application does not omit the Authorization header upon a redirect to a different origin. A remote attacker can gain access to credentials for another domain.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

wget: 1.5.3 - 7.13.2

External links
https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html
https://security.netapp.com/advisory/ntap-20210618-0002/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell APEX Cloud Platform for Microsoft Azure update for third-party components

Dell APEX Cloud Platform for Red Hat OpenShift update for third-party components

Amazon Linux AMI update for wget

SUSE update for wget

Information disclosure in GNU Wget