Security researchers identify a critical vulnerability in the command line program wget, which is contained in wget versions <=1.24.5. An attacker can carry out an unspecified attack.
The vulnerability tracked as CVE-2024-38428, with a CVSS score of 10, affects the open source versions of wget versions up to and including version 1.24.5. The CERT-Bund only states that an anonymous remote attacker can exploit the vulnerability in wget to carry out an unspecified attack.
The vulnerability resides in the url.c module in GNU Wget up to 1.24.5 incorrectly handles semicolons in the userinfo subcomponent of a URI. This can lead to unsafe behavior where data that should be in the userinfo subcomponent is incorrectly interpreted as part of the host subcomponent
Manipulated URLs could reveal authentication details and sensitive information. There is also a risk of manipulation.
- Auth Details: exposure of sensitive information
- Host Header Manipulation: phishing, MitM redirect
- Data leakage. unintended exposure of credentials
There is not yet a wget update that fixes this vulnerability. At this moment, refrain from using the command line command at the moment until the patch is released.
