Local Information Disclosure in GNU Wget Affected By Metadata Leakage
CVE-2018-20483

7.8HIGH

Key Information:

Vendor
Gnu
Status
Wget
Vendor
CVE Published:
26 December 2018

Summary

A flaw in GNU Wget allows local users to access sensitive information through the metadata attributes of downloaded files. Specifically, the 'user.xdg.origin.url' and 'user.xdg.referrer.url' attributes store sensitive data, including URL information that may contain credentials. Attackers can exploit this vulnerability by utilizing tools such as 'getfattr' to read this metadata, potentially leading to unauthorized access to confidential information.

References

https://security.gentoo.org/glsa/201903-08
vendor-advisoryx_refsource_GENTOO
http://www.securityfocus.com/bid/106358
vdb-entryx_refsource_BID
https://twitter.com/marcan42/status/1077676739877232640
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.