CVE-2024-10524

EUVD-2024-33431
Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
JFROGCNA
6.5 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
Debian logo
Debian Releases
Debian Product
Codename
wget
bookworm
no-dsa
bullseye
ignored
bullseye (security)
vulnerable
forky
1.25.0-2
fixed
sid
1.25.0-2
fixed
trixie
1.25.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
wget
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
https://seclists.org/oss-sec/2024/q4/107
http://www.openwall.com/lists/oss-security/2024/11/18/6
https://security.netapp.com/advisory/ntap-20250321-0007/