CVE-2010-2252Improper Input Validation in Wget

CWE-20Improper Input Validation9 documents8 sources
Severity
6.8MEDIUMNVD
EPSS
4.9%
top 10.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Wget
Timeline
PublishedJul 6
Latest updateMay 17

Description

GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

Debiangnu/wget< 1.12-2.1+3
NVDgnu/wget1.12+17

🔴Vulnerability Details

3
GHSA
GHSA-hqjw-x4mf-w7v2: GNU Wget 12022-05-17
OSV
CVE-2010-2252: GNU Wget 12010-07-06
CVEList
CVE-2010-2252: GNU Wget 12010-07-06

📋Vendor Advisories

3
Ubuntu
Wget vulnerability2010-09-02
Red Hat
wget: multiple HTTP client download filename vulnerability [OCERT 2010-001]2010-05-17
Debian
CVE-2010-2252: wget - GNU Wget 1.12 and earlier uses a server-provided filename instead of the origina...2010

💬Community

1
Bugzilla
CVE-2010-2252 wget: multiple HTTP client download filename vulnerability [OCERT 2010-001]2010-06-10
CVE-2010-2252 — Improper Input Validation in GNU Wget | cvebase