CVE-2017-13089

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.

References

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f

http://www.debian.org/security/2017/dsa-4008

http://www.securityfocus.com/bid/101592

http://www.securitytracker.com/id/1039661

https://access.redhat.com/errata/RHSA-2017:3075

https://github.com/r1b/CVE-2017-13089

https://security.gentoo.org/glsa/201711-06

https://www.synology.com/support/security/Synology_SA_17_62_Wget

https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

Details

Source: MITRE

Published: 2017-10-27

Updated: 2017-12-30

Type: CWE-119

Risk Information

CVSS v2

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:gnu:wget:*:*:*:*:*:*:*:* versions up to 1.19.1 (inclusive)

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
124920EulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417)NessusHuawei Local Security Checks
high
124916EulerOS Virtualization for ARM 64 3.0.1.0 : wget (EulerOS-SA-2019-1413)NessusHuawei Local Security Checks
high
121766Photon OS 1.0: Wget PHSA-2017-0047NessusPhotonOS Local Security Checks
high
121765Photon OS 2.0: Wget PHSA-2017-0046NessusPhotonOS Local Security Checks
high
119236Virtuozzo 7 : wget (VZLSA-2017-3075)NessusVirtuozzo Local Security Checks
high
111896Photon OS 1.0: Wget PHSA-2017-0047 (deprecated)NessusPhotonOS Local Security Checks
high
111895Photon OS 2.0: Wget PHSA-2017-0046 (deprecated)NessusPhotonOS Local Security Checks
high
105816Fedora 27 : wget (2017-10fbce01ec)NessusFedora Local Security Checks
high
104650SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2017:2871-2)NessusSuSE Local Security Checks
high
104609Fedora 25 : wget (2017-de8a421dcd)NessusFedora Local Security Checks
high
104514GLSA-201711-06 : GNU Wget: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
104452Fedora 26 : wget (2017-f0b3231763)NessusFedora Local Security Checks
high
104295EulerOS 2.0 SP2 : wget (EulerOS-SA-2017-1270)NessusHuawei Local Security Checks
high
104294EulerOS 2.0 SP1 : wget (EulerOS-SA-2017-1269)NessusHuawei Local Security Checks
high
104240openSUSE Security Update : wget (openSUSE-2017-1210)NessusSuSE Local Security Checks
high
104226FreeBSD : wget -- Stack overflow in HTTP protocol handling (09849e71-bb12-11e7-8357-3065ec6f3643)NessusFreeBSD Local Security Checks
high
104223Debian DSA-4008-1 : wget - security updateNessusDebian Local Security Checks
high
104221Debian DLA-1149-1 : wget security updateNessusDebian Local Security Checks
high
104218CentOS 7 : wget (CESA-2017:3075)NessusCentOS Local Security Checks
high
104216Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : wget (SSA:2017-300-02)NessusSlackware Local Security Checks
high
104211Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : wget vulnerabilities (USN-3464-1)NessusUbuntu Local Security Checks
high
104207Scientific Linux Security Update : wget on SL7.x x86_64 (20171026)NessusScientific Linux Local Security Checks
high
104205RHEL 7 : wget (RHSA-2017:3075)NessusRed Hat Local Security Checks
high
104200Oracle Linux 7 : wget (ELSA-2017-3075)NessusOracle Linux Local Security Checks
high
104182Amazon Linux AMI : wget (ALAS-2017-916)NessusAmazon Linux Local Security Checks
high