CVE-2024-38428

CWE-436 — Interpretation Conflict CWE-1159 documents8 sources

Severity

9.1CRITICAL

EPSS

0.2%

top 58.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Wget

Timeline

PublishedJun 16

Latest updateJun 27

Description

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶Debianwget< 1.21-1+deb11u2+3

▶NVDgnu/wget1.24.5

Patches

Patch: git.savannah.gnu.org ↗Patch: lists.gnu.org ↗Patch: git.savannah.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-2j66-vp53-phjj: url↗2024-06-16

▶

CVEList

CVE-2024-38428: url↗2024-06-16

▶

OSV

CVE-2024-38428: url↗2024-06-16

▶

📋Vendor Advisories

Ubuntu

Wget vulnerability↗2024-06-27

▶

Ubuntu

Wget vulnerability↗2024-06-26

▶

Microsoft

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent ↗2024-06-11

▶

Red Hat

wget: Misinterpretation of input may lead to improper behavior↗2024-06-01

▶

Debian

CVE-2024-38428: wget - url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcompon...↗2024

▶