CVE-2018-1000500
HIGHbusybox < 1.32.0 - Missing SSL Certificate Validation in wget Applet
Title source: manualDescription
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4531-1/
Mailing List, Vendor Advisory x_refsource_misc
http://lists.busybox.net/pipermail/busybox/2018-May/086462.html
Patch, Vendor Advisory x_refsource_confirm
https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91
Scores
CVSS v3
8.1
EPSS
0.0246
EPSS Percentile
82.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-295
Status
published
Products (1)
busybox/busybox
< 1.32.0
Published
Jun 26, 2018
Tracked Since
Feb 18, 2026