wget Password Exposure Vulnerability

A vulnerability has been discovered in the GNU Project's wget file transfer utility. A local authenticated user could exploit this vulnerability to obtain sensitive information.

Threat ID:: CC-2843
Category:
Threat Severity:: Low
Threat Vector:
Published:: 3 January 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A vulnerability has been discovered in the GNU Project's wget file transfer utility. A local authenticated user could exploit this vulnerability to obtain sensitive information.

Threat details

wget stores file origin URLs as filesystem attributes under the variable user.xdg.origin.url. In some circumstances, the URL string can contain sensitive information such as usernames, passwords, or secret tokens. A local user may be able to retrieve the URL strings using the getfattr command, at which point they would be able to extract this information

For further information:

Remediation steps

Type	Step
	The GNU Project have addressed this vulnerability in wget 1.20.1. Users and administrators are encouraged to update their affected systems immediately

Last edited: 14 February 2020 2:43 pm