Improper input validation in Gnu Wget
CVE-2010-2252
GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.038 (88.4th percentile) — read the EPSS interpretation.
Affected products
- Gnu Wget — versions 1.10.1, 1.6, 1.8.2
- N/a — versions n/a
Weakness classification (CWE)
References
- [oss-security] 20100517 [oCERT-2010-001] multiple http client unexpected download filename vulnerability (mailing-list, x_refsource_MLIST)
- cve@mitre.org (x_refsource_CONFIRM)
- [bug-wget] 20100520 Re: security risk of unexpected download filenames (mailing-list, x_refsource_MLIST)
- RHSA-2014:0151 (x_refsource_REDHAT, vendor-advisory)
- [bug-wget] 20100520 security risk of unexpected download filenames (mailing-list, x_refsource_MLIST)
- [oss-security] 20100609 Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability (mailing-list, x_refsource_MLIST)
- 65722 (vdb-entry, x_refsource_BID)
- cve@mitre.org (x_refsource_MISC)
- [oss-security] 20100518 Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability (mailing-list, x_refsource_MLIST)
- [bug-wget] 20100521 Re: security risk of unexpected download filenames (mailing-list, x_refsource_MLIST)