CVE-2018-20483

CWE-200Information Exposure11 documents8 sources
Severity
7.8HIGH
EPSS
0.0%
top 87.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Wget
Timeline
PublishedDec 26
Latest updateMay 13

Description

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partia

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

NVDgnu/wget< 1.20.1
Debianwget< 1.20.1-1+3
Ubuntuwget< 1.15-1ubuntu1.14.04.5+2

🔴Vulnerability Details

4
GHSA
GHSA-mxm6-6r3r-6wj4: set_file_metadata in xattr2022-05-13
OSV
wget vulnerabilities2019-04-08
CVEList
CVE-2018-20483: set_file_metadata in xattr2018-12-26
OSV
CVE-2018-20483: set_file_metadata in xattr2018-12-26

📋Vendor Advisories

3
Ubuntu
Wget vulnerabilities2019-04-08
Red Hat
wget: Information exposure in set_file_metadata function in xattr.c2018-12-26
Debian
CVE-2018-20483: wget - set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin UR...2018

💬Community

3
Bugzilla
CVE-2018-20483 wget: Information exposure in set_file_metadata function in xattr.c [fedora-all]2019-01-02
Bugzilla
CVE-2018-20483 curl: wget: Information exposure in set_file_metadata function in xattr.c [fedora-all]2019-01-02
Bugzilla
CVE-2018-20483 wget: Information exposure in set_file_metadata function in xattr.c2018-12-31