CVE-2024-38428

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

Weakness

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B’s state.

Affected Software

Name	Vendor	Start Version	End Version
Wget	Gnu	*	1.24.5 (including)
Red Hat Enterprise Linux 8	RedHat	wget-0:1.19.5-12.el8_10	*
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	RedHat	wget-0:1.19.5-10.el8_6.2	*
Red Hat Enterprise Linux 8.6 Telecommunications Update Service	RedHat	wget-0:1.19.5-10.el8_6.2	*
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	RedHat	wget-0:1.19.5-10.el8_6.2	*
Red Hat Enterprise Linux 8.8 Extended Update Support	RedHat	wget-0:1.19.5-11.el8_8.1	*
Red Hat Enterprise Linux 9	RedHat	wget-0:1.21.1-8.el9_4	*
Red Hat Enterprise Linux 9.2 Extended Update Support	RedHat	wget-0:1.21.1-7.el9_2.1	*
Wget	Ubuntu	devel	*
Wget	Ubuntu	esm-infra/bionic	*
Wget	Ubuntu	esm-infra/focal	*
Wget	Ubuntu	esm-infra/xenial	*
Wget	Ubuntu	focal	*
Wget	Ubuntu	jammy	*
Wget	Ubuntu	mantic	*
Wget	Ubuntu	noble	*
Wget	Ubuntu	oracular	*
Wget	Ubuntu	plucky	*
Wget	Ubuntu	questing	*
Wget	Ubuntu	trusty/esm	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-38428
CWE	https://cwe.mitre.org/data/definitions/436.html

Interpretation Conflict

Weakness

Affected Software

References

CVE-2024-38428

Interpretation Conflict

Weakness

Affected Software

Related Attack Patterns

References