Improper Input Validation in wget | CVE-2018-0494

Q: How to fix?

Upgrade Debian:11 wget to version 1.19.5-1 or higher.

Threat Intelligence

Mature

3.72% (92^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-DEBIAN11-WGET-518015
published6 May 2018
disclosed6 May 2018

Report a new vulnerability Found a mistake?

Introduced: 6 May 2018

CVE-2018-0494 (opens in a new tab) CWE-20 (opens in a new tab)

How to fix?

Upgrade Debian:11 wget to version 1.19.5-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line.

References

https://security-tracker.debian.org/tracker/CVE-2018-0494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494
https://www.debian.org/security/2018/dsa-4195
https://lists.debian.org/debian-lts-announce/2018/05/msg00006.html
https://www.exploit-db.com/exploits/44601/
https://security.gentoo.org/glsa/201806-01
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd
https://lists.gnu.org/archive/html/bug-wget/2018-05/msg00020.html
https://savannah.gnu.org/bugs/?53763
https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt
https://access.redhat.com/errata/RHSA-2018:3052
http://www.securityfocus.com/bid/104129
http://www.securitytracker.com/id/1040838
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-0494
https://usn.ubuntu.com/3643-1/
https://usn.ubuntu.com/3643-2/
https://www.exploit-db.com/exploits/44601

Improper Input Validation Affecting wget package, versions <1.19.5-1

Severity