Skip to main content

Wget CVE-2017-13090

HIGH
Heap-based Buffer Overflow (CWE-122)
2017-10-27 cret@cert.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 27, 2017 - 19:29 cve.org
HIGH 8.8

DescriptionCVE.org

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.

AnalysisAI

The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-122. The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer. Affected products include: Gnu Wget, Debian Debian Linux. Version information: before 1.19.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Wget

View all
CVE-2014-4877 CRITICAL POC
9.3 Oct 29

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to w

CVE-2016-4971 HIGH POC
8.8 Jun 30

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F

CVE-2017-13089 HIGH
8.8 Oct 27

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high sev

CVE-2016-7098 HIGH POC
8.1 Sep 26

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow

CVE-2018-20483 HIGH POC
7.8 Dec 26

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata at

CVE-2018-0494 MEDIUM POC
6.5 May 06

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequen

CVE-2017-6508 MEDIUM POC
6.1 Mar 07

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject

CVE-2019-5953 CRITICAL
9.8 May 17

Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute

CVE-2024-38428 CRITICAL
9.1 Jun 16

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be inse

CVE-2026-58469 HIGH
8.7 Jul 07

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving

CVE-2026-58470 MEDIUM
6.9 Jul 07

Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sess

CVE-2021-31879 MEDIUM
6.1 Apr 29

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to

Share

CVE-2017-13090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy