CVE-2024-10524

MEDIUM

GNU Wget < 1.25.0 Shorthand URL Credentials - Server-Side Request Forgery

Title source: manual

Description

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

References (5)

Core 5

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/11/18/6

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250321-0007/

Mailing List vendor-advisory

https://seclists.org/oss-sec/2024/q4/107

Various Sources third-party-advisory

https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/

Patch patch

https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778

Scores

CVSS v3 6.5

EPSS 0.0059

EPSS Percentile 69.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (1)

gnu/wget < 1.25.0

Published Nov 19, 2024

Tracked Since Feb 18, 2026