CVE-2018-20483
Published: 26 December 2018
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.
Notes
Author | Note |
---|---|
mdeslaur | code was introduced in 1.19 |
Priority
Status
Package | Release | Status |
---|---|---|
wget Launchpad, Ubuntu, Debian |
bionic |
Released
(1.19.4-1ubuntu2.2)
|
cosmic |
Released
(1.19.5-1ubuntu1.1)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(1.20.1-1)
|
|
xenial |
Not vulnerable
(code not present)
|
|
Patches: upstream: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8 upstream: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |