CRLF Injection Vulnerability in Wget by GNU
CVE-2017-6508

6.1MEDIUM

Key Information:

Vendor

Gnu
Status
Wget
Vendor
CVE Published:
7 March 2017

What is CVE-2017-6508?

A CRLF injection vulnerability exists in the url_parse function of Wget, affecting versions up to 1.19.1. This flaw allows remote attackers to manipulate HTTP headers by injecting arbitrary header information via CRLF sequences in the host subcomponent of a URL. This can lead to various security issues, including session hijacking and cross-site scripting, posing significant threats to user data and server integrity.

References

http://lists.gnu.org/archive/html/bug-wget/2017-03/msg000...
x_refsource_MISC
https://security.gentoo.org/glsa/201706-16
vendor-advisoryx_refsource_GENTOO
http://www.securityfocus.com/bid/96877
vdb-entryx_refsource_BID

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.