PT-2019-4944 · Aria2+2 · Aria2+2

Dhiraj Mishra

Published

2019-01-01

Updated

2024-06-15

CVE-2019-3500

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions aria2 version 1.33.1

Description The issue is related to the aria2c component in the aria2 utility, which can lead to information disclosure through log files. When the --log option is used, aria2c can store an HTTP Basic Authentication username and password in a file. This might allow local users to obtain sensitive information by reading this file. The exploitation of this issue may allow an attacker to gain unauthorized access to protected information.

Recommendations For aria2 version 1.33.1, consider disabling the --log option to prevent sensitive information from being stored in log files until a fix is available. Restrict access to log files generated by aria2c to minimize the risk of exploitation. Avoid using the username and password in the affected log files until the issue is resolved.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

BDU:2020-01556

CVE-2019-3500

DLA-1636-1

DLA-2873-1

MGASA-2019-0036

OPENSUSE-SU-2019:0050-1

OPENSUSE-SU-2019_0050-1

OPENSUSE-SU-2021:1125-1

OPENSUSE-SU-2021_1125-1

OPENSUSE-SU-2024:10631-1

USN-3965-1

USN-4869-1

Affected Products

Suse

Ubuntu

Aria2

PT-2019-4944 · Aria2+2 · Aria2+2

CVE-2019-3500

Weakness Enumeration

Related Identifiers

Affected Products

References · 37