Vulnerability Description
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Wget | <= 1.24.5 |
Related Weaknesses (CWE)
References
- https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fdMailing ListPatch
- https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.htmlMailing ListPatch
- https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fdMailing ListPatch
- https://lists.debian.org/debian-lts-announce/2025/04/msg00029.html
- https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.htmlMailing ListPatch
- https://security.netapp.com/advisory/ntap-20241115-0005/
FAQ
What is CVE-2024-38428?
CVE-2024-38428 is a vulnerability with a CVSS score of 9.1 (CRITICAL). url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent...
How severe is CVE-2024-38428?
CVE-2024-38428 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-38428?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Wget.