CVE-2018-1000500 — Improper Certificate Validation in Busybox

CWE-295 — Improper Certificate Validation10 documents8 sources

Severity

8.1HIGHNVD

EPSS

0.6%

top 31.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Msrc CBL Mariner 1.0 ARM +2 more

Timeline

PublishedJun 26

Latest updateMay 13

Description

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

▶NVDbusybox/busybox< 1.32.0

▶debiandebian/busybox

▶msrcmsrc/cm1_busybox_1.32.0-2_on_cbl_mariner_1.0

▶msrcmsrc/cbl_mariner_1.0_arm

▶msrcmsrc/cbl_mariner_1.0_x64

Patches

Patch: git.busybox.net ↗Patch: git.busybox.net ↗

🔴Vulnerability Details

GHSA

GHSA-248x-4c3j-hcg7: Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution↗2022-05-13

▶

OSV

CVE-2018-1000500: Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution↗2018-06-26

▶

📋Vendor Advisories

Ubuntu

BusyBox vulnerability↗2020-09-22

▶

Microsoft

▶

Red Hat

busybox: wget: Missing SSL certificate validation↗2018-05-24

▶

Debian

CVE-2018-1000500: busybox - Busybox contains a Missing SSL certificate validation vulnerability in The "busy...↗2018

▶

💬Community

Bugzilla

CVE-2018-1000500 busybox: wget: Missing SSL certificate validation↗2018-06-27

▶

Bugzilla

CVE-2018-1000500 busybox: wget: Missing SSL certificate validation [fedora-all]↗2018-06-27

▶

Bugzilla

CVE-2018-1000500 wget: Missing SSL certificate validation [fedora-all]↗2018-06-27

▶