Cookie Injection Vulnerability in GNU Wget from GNU
CVE-2018-0494

6.5MEDIUM

Key Information:

Vendor: Gnu
Status: Wget
Vendor: CVE Published:; 6 May 2018

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 64%

What is CVE-2018-0494?

GNU Wget versions prior to 1.19.5 are susceptible to a cookie injection vulnerability. This flaw resides in the resp_new function within http.c, where an attacker can exploit a sequence of ' ' characters in a continuation line to inject malicious cookies. Such an attack may compromise the integrity of web sessions, allowing unauthorized access or data manipulation. It's essential to update to the latest version to mitigate this risk and ensure the secure operation of web-based functionalities.

Affected Version(s)

WGet WGet

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-0494 - Proof of Concept

References

https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt

x_refsource_MISC

https://access.redhat.com/errata/RHSA-2018:3052

vendor-advisoryx_refsource_REDHAT

https://savannah.gnu.org/bugs/?53763

x_refsource_MISC

EPSS Score

64% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 6, 2018
👾
Exploit known to exist
May 6, 2018
Vulnerability published
May 6, 2018
Vulnerability Reserved
Nov 27, 2017

CVE-2018-0494 Data

JSON

Gnu

Badges

What is CVE-2018-0494?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

EPSS Score

CVSS V3.1

Timeline