CVE-2024-10524

Name
CVE-2024-10524
Description
Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vendor-advisory https://seclists.org/oss-sec/2024/q4/107
third-party-advisory https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
patch https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2024/11/18/6
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20250321-0007/

Match rules

CPE URI Source package Min version Max version
wget >= 0 < 1.25.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
wget edge-main 1.25.0-r0 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
wget 3.20-main 1.24.5-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
wget 3.19-main 1.21.4-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
wget 3.18-main 1.21.4-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
wget 3.17-main 1.21.4-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
wget 3.21-main 1.25.0-r0 Carlo Landmeter <clandmeter@alpinelinux.org> fixed