Search for vulnerabilities
Vulnerability details: VCID-uuud-1dgw-aaah
Vulnerability ID VCID-uuud-1dgw-aaah
Aliases CVE-2018-20483
Summary set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
generic_textual Low http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20483.html
cvssv3 5.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-20483.json
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00059 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00059 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
epss 0.00133 https://api.first.org/data/v1/epss?cve=CVE-2018-20483
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1662705
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483
cvssv3 6.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 2.1 https://nvd.nist.gov/vuln/detail/CVE-2018-20483
cvssv3 7.8 https://nvd.nist.gov/vuln/detail/CVE-2018-20483
generic_textual Low https://twitter.com/marcan42/status/1077676739877232640
generic_textual Medium https://ubuntu.com/security/notices/USN-3943-1
Reference id Reference type URL
http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20483.html
https://access.redhat.com/errata/RHSA-2019:3701
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-20483.json
https://api.first.org/data/v1/epss?cve=CVE-2018-20483
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://security.gentoo.org/glsa/201903-08
https://security.netapp.com/advisory/ntap-20190321-0002/
https://twitter.com/marcan42/status/1077676739877232640
https://ubuntu.com/security/notices/USN-3943-1
https://usn.ubuntu.com/3943-1/
http://www.securityfocus.com/bid/106358
1662705 https://bugzilla.redhat.com/show_bug.cgi?id=1662705
917375 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917375
cpe:2.3:a:gnu:wget:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:gnu:wget:*:*:*:*:*:*:*:*
CVE-2018-20483 https://nvd.nist.gov/vuln/detail/CVE-2018-20483
No exploits are available.
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-20483.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-20483
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-20483
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.05128
EPSS Score 0.00042
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.