GNU wget CVE-2018-20483 Local Information Disclosure Vulnerability

Bugtraq ID:	106358
Class:	Design Error
CVE:	CVE-2018-20483
Remote:	No
Local:	Yes
Published:	Dec 26 2018 12:00AM
Updated:	Feb 27 2019 11:00AM
Credit:	GNU Wget project.
Vulnerable:	Redhat Enterprise Linux 7 Haxx Curl 7.62 Haxx Curl 7.61.1 Haxx Curl 7.61 Haxx Curl 7.60 Haxx Curl 7.63.0 Haxx Curl 7.6.1 Haxx Curl 7.6 GNU wget 1.19.5 GNU wget 1.19.4 GNU wget 1.19.3 GNU wget 1.19.2 GNU wget 1.19.1 GNU wget 1.11.4 GNU wget 1.11.3 GNU wget 1.11.2 GNU wget 1.11.1 GNU wget 1.10.2 GNU wget 1.10.1 GNU wget 1.10 GNU wget 1.8.2 + Immunix Immunix OS 7+ + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + MandrakeSoft Single Network Firewall 7.2 + Mandriva Linux Mandrake 9.0 + Mandriva Linux Mandrake 8.2 ppc + Mandriva Linux Mandrake 8.2 + Mandriva Linux Mandrake 8.1 ia64 + Mandriva Linux Mandrake 8.1 + Mandriva Linux Mandrake 8.0 ppc + Mandriva Linux Mandrake 8.0 + Mandriva Linux Mandrake 7.2 + Redhat Linux 8.0 i386 + Redhat Linux 7.3 i386 + Redhat Linux 7.2 ia64 + Redhat Linux 7.2 i386 + Redhat Linux 7.1 ia64 + Redhat Linux 7.1 i386 + Redhat Linux 7.0 i386 + Redhat Linux 6.2 i386 + S.u.S.E. Linux Personal 9.3 + S.u.S.E. Linux Personal 9.2 x86_64 + S.u.S.E. Linux Personal 9.2 + S.u.S.E. Linux Personal 9.1 x86_64 + S.u.S.E. Linux Personal 9.1 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 + S.u.S.E. Linux Personal 8.2 + SuSE Linux 8.1 + SuSE Linux 8.0 i386 + SuSE Linux 8.0 + Trustix Secure Linux 1.5 GNU wget 1.8.1 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha GNU wget 1.8 GNU wget 1.7.1 GNU wget 1.7 GNU wget 1.6 GNU wget 1.5.3 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 IA-32 + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k GNU wget 1.20 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + Mandriva Linux Mandrake 10.2 x86_64 + Mandriva Linux Mandrake 10.2 + Mandriva Linux Mandrake 10.1 x86_64 + Mandriva Linux Mandrake 10.1 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 GNU wget 1.19 GNU wget 1.18 GNU wget 1.17 + Immunix Immunix OS 7+ + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + MandrakeSoft Single Network Firewall 7.2 + Mandriva Linux Mandrake 9.0 + Mandriva Linux Mandrake 8.2 ppc + Mandriva Linux Mandrake 8.2 + Mandriva Linux Mandrake 8.1 ia64 + Mandriva Linux Mandrake 8.1 + Mandriva Linux Mandrake 8.0 ppc + Mandriva Linux Mandrake 8.0 + Mandriva Linux Mandrake 7.2 + Redhat Linux 8.0 i386 + Redhat Linux 7.3 i386 + Redhat Linux 7.2 ia64 + Redhat Linux 7.2 i386 + Redhat Linux 7.1 ia64 + Redhat Linux 7.1 i386 + Redhat Linux 7.0 i386 + Redhat Linux 6.2 i386 + S.u.S.E. Linux Personal 9.3 + S.u.S.E. Linux Personal 9.2 x86_64 + S.u.S.E. Linux Personal 9.2 + S.u.S.E. Linux Personal 9.1 x86_64 + S.u.S.E. Linux Personal 9.1 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 + S.u.S.E. Linux Personal 8.2 + SuSE Linux 8.1 + SuSE Linux 8.0 i386 + SuSE Linux 8.0 + Trustix Secure Linux 1.5 GNU wget 1.16.3 GNU wget 1.16 GNU wget 1.15 GNU wget 1.12 GNU wget 1.11
Not Vulnerable:	Haxx Curl 7.64.0 GNU wget 1.20.1 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + Mandriva Linux Mandrake 10.2 x86_64 + Mandriva Linux Mandrake 10.2 + Mandriva Linux Mandrake 10.1 x86_64 + Mandriva Linux Mandrake 10.1 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0

GNU wget CVE-2018-20483 Local Information Disclosure Vulnerability

GNU wget is prone to a local information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information that may aid in further attacks.

GNU Wget versions prior to 1.20.1 are vulnerable.

GNU wget CVE-2018-20483 Local Information Disclosure Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

GNU wget CVE-2018-20483 Local Information Disclosure Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

GNU wget CVE-2018-20483 Local Information Disclosure Vulnerability

References:

• GNU Homepage (GNU)
  
• Bug 1662705 (CVE-2018-20483) - CVE-2018-20483 wget: Information exposure in set ()
  
• xattr: strip credentials from any URL that is stored ()
  
• xattr: strip credentials from any URL that is stored #3433 ()
  
• [security] Do not store username/password in extended attributes when enabling - ()
  
• 106358 ()
  
• cgit logo index : wget.git ()
  
• Curl 7.64.0 ()