GNU Wget

Do you want an email whenever new security vulnerabilities are reported in GNU Wget?

By the Year

In 2024 there have been 0 vulnerabilities in GNU Wget . Wget did not have any published security vulnerabilities last year.

Year	Vulnerabilities	Average Score
2024	0	0.00
2023	0	0.00
2022	0	0.00
2021	1	6.10
2020	0	0.00
2019	1	9.80
2018	2	7.15

It may take a day or so for new Wget vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent GNU Wget Security Vulnerabilities

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin

CVE-2021-31879 6.1 - Medium - April 29, 2021

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Open Redirect

Buffer overflow in GNU Wget 1.20.1 and earlier

CVE-2019-5953 9.8 - Critical - May 17, 2019

Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors.

Memory Corruption

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which

CVE-2018-20483 7.8 - High - December 26, 2018

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.

Information Disclosure

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c

CVE-2018-0494 6.5 - Medium - May 06, 2018

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line.

Improper Input Validation

GNU wget before 1.18

CVE-2016-4971 8.8 - High - June 30, 2016

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.

wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.

CVE-1999-0402 - January 02, 1999

wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for GNU Wget or by GNU? Click the Watch button to subscribe.

GNU
Vendor

GNU Wget
Product

GNU Wget

By the Year

Recent GNU Wget Security Vulnerabilities

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin CVE-2021-31879 6.1 - Medium - April 29, 2021

Buffer overflow in GNU Wget 1.20.1 and earlier CVE-2019-5953 9.8 - Critical - May 17, 2019

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which CVE-2018-20483 7.8 - High - December 26, 2018

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c CVE-2018-0494 6.5 - Medium - May 06, 2018

GNU wget before 1.18 CVE-2016-4971 8.8 - High - June 30, 2016

wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself. CVE-1999-0402 - January 02, 1999