CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Wget | Gnu | * | 1.19.1 (including) |
| Wget | Ubuntu | artful | * |
| Wget | Ubuntu | devel | * |
| Wget | Ubuntu | precise | * |
| Wget | Ubuntu | trusty | * |
| Wget | Ubuntu | upstream | * |
| Wget | Ubuntu | vivid/stable-phone-overlay | * |
| Wget | Ubuntu | xenial | * |
| Wget | Ubuntu | yakkety | * |
| Wget | Ubuntu | zesty | * |