CVE-2024-10524

Published: Nov 19, 2024Modified: Mar 21, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Exploitability: 2.2 / Impact: 3.7

Source: reefs@jfrog.com (Secondary)

Description

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (5)

https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778

Source: reefs@jfrog.com

https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/

Source: reefs@jfrog.com

https://seclists.org/oss-sec/2024/q4/107

Source: reefs@jfrog.com

http://www.openwall.com/lists/oss-security/2024/11/18/6

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250321-0007/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.