CVE-2024-38428
published 2024-06-16CVE-2024-38428: url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was…
critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wget | < wget 1.21.3-1+deb12u1 (bookworm) | wget 1.21.3-1+deb12u1 (bookworm) |
| gnu | wget | <= 1.24.5 | — |
| gnu | wget | >= 0 < 1.21-1+deb11u2 | 1.21-1+deb11u2 |
| gnu | wget | >= 0 < 1.21.3-1+deb12u1 | 1.21.3-1+deb12u1 |
| gnu | wget | >= 0 < 1.24.5-2 | 1.24.5-2 |
| gnu | wget | >= 0 < 1.24.5-2 | 1.24.5-2 |
| msrc | cbl2_wget_1.21.2-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_wget_1.21.2-4_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL