CVE-2024-10524
Publication date 19 November 2024
Last updated 30 May 2025
Ubuntu priority
Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
Read the notes from the security team
Why is this CVE low priority?
Uncommon attack scenario
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| wget | 25.04 plucky |
Needs evaluation
|
| 24.10 oracular |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
mdeslaur
the upstream fix removes shorthand support for URLs. Fixing this will change behaviour and may break existing uses of wget. This is only an issue when using a wget shorthand format URL with user-provided input, which should be an uncommon scenario.
Patch details
| Package | Patch details |
|---|---|
| wget |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L |