#VU93077 Input validation error in wget - CVE-2024-38428
Published: June 22, 2024
Vulnerability identifier: #VU93077
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-38428
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
wget
wget
Software vendor:
GNU
GNU
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper input validation of URL when parsing strings with semicolons within the scheme_leading_string() function in url.c. A remote attacker can pass a specially crafted URL to the application and influence its behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
Remediation
Install updates from vendor's website.