Vulnerability Details : CVE-2024-10524
Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
Products affected by CVE-2024-10524
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2024-10524
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-10524
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L |
N/A
|
N/A
|
JFrog | 2024-11-19 |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L |
2.2
|
3.7
|
JFrog | 2024-11-19 |
CWE ids for CVE-2024-10524
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by:
- 48a46f29-ae42-4e1d-90dd-c1676c1e5e6d (Primary)
- reefs@jfrog.com (Secondary)
References for CVE-2024-10524
-
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
Fix CVE-2024-10524 (drop support for shorthand URLs) - wget.git - GNU Wget
-
https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
Protect your Software from the Zero Day Wget Vulnerability
-
https://security.netapp.com/advisory/ntap-20250321-0007/
-
https://seclists.org/oss-sec/2024/q4/107
oss-sec: Fwd: wget-1.25.0 released [fixes CVE-2024-10524]
-
http://www.openwall.com/lists/oss-security/2024/11/18/6
Jump to