Vulnerability Description
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Busybox | Busybox | < 1.32.0 |
Related Weaknesses (CWE)
References
- http://lists.busybox.net/pipermail/busybox/2018-May/086462.htmlMailing ListVendor Advisory
- https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeePatchVendor Advisory
- https://usn.ubuntu.com/4531-1/
- http://lists.busybox.net/pipermail/busybox/2018-May/086462.htmlMailing ListVendor Advisory
- https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeePatchVendor Advisory
- https://usn.ubuntu.com/4531-1/
FAQ
What is CVE-2018-1000500?
CVE-2018-1000500 is a vulnerability with a CVSS score of 8.1 (HIGH). Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download a...
How severe is CVE-2018-1000500?
CVE-2018-1000500 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000500?
Check the references section above for vendor advisories and patch information. Affected products include: Busybox Busybox.