Vulnerability in Gnu Wget
CVE-2016-7098
Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.
Vulnerability class: Race Condition
EPSS: 0.067 (91.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.1 (High). Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Gnu Wget
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- [oss-security] 20160827 Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability (mailing-list, x_refsource_MLIST, Mailing List)
- openSUSE-SU-2017:0015 (vendor-advisory, x_refsource_SUSE)
- openSUSE-SU-2016:2284 (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
- 93157 (vdb-entry, x_refsource_BID)
- 40824 (exploit, x_refsource_EXPLOIT-DB)
- [bug-wget] 20160814 Wget - acess list bypass / race condition PoC (mailing-list, x_refsource_MLIST, Exploit, Mailing List)
- [bug-wget] 20160824 Re: Wget - acess list bypass / race condition PoC (mailing-list, x_refsource_MLIST, Mailing List)
- [debian-lts-announce] 20200129 [SECURITY] [DLA 2086-1] wget security update (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2016-7098?
- CVE-2016-7098 is a high-severity vulnerability in Gnu Wget, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 8.1/10. Published 2016-09-26.
- How severe is CVE-2016-7098?
- High severity. CVSS v3 base score is 8.1 out of 10.
- Is CVE-2016-7098 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.