Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-7098

CWE-362 — Race Condition11 documents9 sources

Severity

8.1HIGH

EPSS

8.8%

top 7.47%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

GNU Wget

Timeline

PublishedSep 26

Latest updateMay 17

Description

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶Debianwget< 1.18-4+3

▶Ubuntuwget< 1.15-1ubuntu1.14.04.3+1

▶NVDgnu/wget1.17

🔴Vulnerability Details

GHSA

GHSA-57mm-2gj4-2977: Race condition in wget 1↗2022-05-17

▶

OSV

wget vulnerabilities↗2017-10-26

▶

OSV

CVE-2016-7098: Race condition in wget 1↗2016-09-26

▶

CVEList

CVE-2016-7098: Race condition in wget 1↗2016-09-26

▶

💥Exploits & PoCs

Exploit-DB

GNU Wget < 1.18 - Access List Bypass / Race Condition↗2016-11-24

▶

📋Vendor Advisories

Ubuntu

Wget vulnerabilities↗2017-10-30

▶

Ubuntu

Wget vulnerabilities↗2017-10-26

▶

Red Hat

wget: files rejected by access list are kept on the disk for the duration of HTTP connection↗2016-08-11

▶

Debian

CVE-2016-7098: wget - Race condition in wget 1.17 and earlier, when used in recursive or mirroring mod...↗2016

▶

💬Community

Bugzilla

CVE-2016-7098 wget: files rejected by access list are kept on the disk for the duration of HTTP connection↗2016-04-18

▶