CVE-2024-10524

Source
https://cve.org/CVERecord?id=CVE-2024-10524
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10524.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-10524
Downstream
Related
Published
2024-11-19T14:23:09.718Z
Modified
2026-07-16T03:47:15.930713758Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
GNU Wget is vulnerable to an SSRF attack when accessing partially-user-controlled shorthand URLs
Details

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

Database specific
{
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/10xxx/CVE-2024-10524.json",
    "cna_assigner": "JFROG"
}
References

Affected packages

Git / https.git.savannah.gnu.org/git/wget.git/

Affected ranges

Type
GIT
Repo
https://https.git.savannah.gnu.org/git/wget.git/
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
abb989138731341e5cfd285d272b24afb60fd1a9
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.25.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.12
v1.13
v1.13.1
v1.13.2
v1.13.3
v1.13.4
v1.14
v1.15
v1.16
v1.16.1
v1.16.2
v1.16.3
v1.17
v1.17.1
v1.18
v1.19
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.20
v1.20.1
v1.20.2
v1.20.3
v1.21
v1.21.1
v1.21.2
v1.21.3
v1.21.4
v1.24.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10524.json"