CVE-2024-10524

Severity CVSS v4.0:

Pending analysis

Type:

CWE-918 Server-Side Request Forgery (SSRF)

Publication date:

19/11/2024

Last modified:

21/03/2025

Description

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 6.50 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): Low

Base Score 3.x

6.50

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
https://seclists.org/oss-sec/2024/q4/107
http://www.openwall.com/lists/oss-security/2024/11/18/6
https://security.netapp.com/advisory/ntap-20250321-0007/