Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-0494 |
CWE-ID | CWE-74 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
wget (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU12432
Risk: Low
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-0494
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to write arbitrary files on the target system.
The weakness exists due to improper processing of Set-Cookie responses. A remote attacker can return specially crafted data and inject arbitrary cookies into the cookie jar file.
Install update from vendor's website.
Vulnerable software versionswget (Alpine package): 1.18-r2 - 1.18-r3
CPE2.3http://git.alpinelinux.org/aports/commit/?id=e6404a21b246558e15ba90e0a54011392d26c497
http://git.alpinelinux.org/aports/commit/?id=216de6f087c9096374a5b94d109a6fac300d7495
http://git.alpinelinux.org/aports/commit/?id=9ac70349518c3ae6773ec02ff79be8d20f8462b8
http://git.alpinelinux.org/aports/commit/?id=06efc389600960466f2d0f27de63ab5984f00518
http://git.alpinelinux.org/aports/commit/?id=5be082426ec4169377ecf7986788fc6e90d4faea
http://git.alpinelinux.org/aports/commit/?id=ef64d3c2ab9ef38db387a7198c2ea6adccc6f495
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.