#VU18143 Buffer overflow in wget - CVE-2019-5953


Vulnerability identifier: #VU18143

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-5953

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
wget
Server applications / File servers (FTP/HTTP)

Vendor: GNU

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when handling Internationalized Resource Identifiers (IRI) during recursive downloading. A remote attacker can trick the victim to connect to a malicious web server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

wget: 1.5.3 - 1.20.1

External links
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17
https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00012.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat update for wget
Red Hat update for wget
Gentoo update for GNU Wget
Red Hat update for wget
Red Hat update for wget
OpenSUSE Linux update for wget
Amazon Linux AMI update for wget
OpenSUSE Linux update for wget
Ubuntu update for Wget
Buffer overflow in wget (Alpine package)