CVE-2024-10524
6.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Summary
Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| gnu | wget | 0 < 1.25.0 | affected |
Weaknesses
- CWE-918: CWE-918 Server-Side Request Forgery (SSRF)
ADP Enrichment
CVE Program Container
Additional References
- http://www.openwall.com/lists/oss-security/2024/11/18/6
- https://security.netapp.com/advisory/ntap-20250321-0007/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://seclists.org/oss-sec/2024/q4/107
- https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
- https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.