CVE-2019-3500 — Log File Information Exposure in Aria2

CWE-532 — Log File Information Exposure9 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 70.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aria2 Project Aria2 Debian Aria2 Canonical Ubuntu Linux +2 more

Timeline

PublishedJan 2

Latest updateMay 13

Description

aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/aria2< aria2 1.34.0-4 (bookworm)

▶Debianaria2_project/aria2< 1.34.0-4+3

▶NVDaria2_project/aria21.33.1

Also affects: Debian Linux 8.0, 9.0, Fedora 28, 29, 30, Ubuntu Linux 18.10, 19.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-g768-79g3-c28j: aria2c in aria2 1↗2022-05-13

▶

OSV

CVE-2019-3500: aria2c in aria2 1↗2019-01-02

▶

📋Vendor Advisories

Ubuntu

aria2 vulnerability↗2021-03-15

▶

Ubuntu

aria2 vulnerability↗2019-05-06

▶

Debian

CVE-2019-3500: aria2 - aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authenticati...↗2019

▶

💬Community

Bugzilla

CVE-2019-3500 aria2: Password leak for HTTP based authentication↗2019-01-07

▶

Bugzilla

CVE-2019-3500 aria2: Password leak for HTTP based authentication [epel-7]↗2019-01-07

▶

Bugzilla

CVE-2019-3500 aria2: Password leak for HTTP based authentication [fedora-all]↗2019-01-07

▶