CVE-2024-10524

NameCVE-2024-10524
DescriptionApplications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1088023

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wget (PTS)bullseye1.21-1+deb11u1vulnerable
bookworm1.21.3-1vulnerable
sid, trixie1.24.5-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wgetsource(unstable)(unfixed)1088023

Notes

[bookworm] - wget <no-dsa> (Minor issue)
[bullseye] - wget <postponed> (Minor issue)
https://www.openwall.com/lists/oss-security/2024/11/18/6
https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
Fixed by: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778 (v1.25.0)

Search for package or bug name: Reporting problems