Lucene search

[email protected]CVE-2017-13090

HistoryOct 27, 2017 - 7:29 p.m.

CVE-2017-13090

2017-10-2719:29:00

CWE-119

CWE-122

[email protected]

web.nvd.nist.gov

123

cve-2017-13090

wget

security vulnerability

malloc metadata corruption

response processing

chunk parser

strtol

fd_read()

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.399 Low

EPSS

Percentile

97.3%

JSON

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk’s length, but doesn’t check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.

Affected configurations

NVD

Node

gnuwgetRange≤1.19.1

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

CPENameOperatorVersion
gnu:wgetgnu wgetle1.19.1

CPE	Name	Operator	Version
gnu:wget	gnu wget	le	1.19.1

CNA Affected

[
  {
    "platforms": [
      "any"
    ],
    "product": "Wget",
    "vendor": "GNU Project",
    "versions": [
      {
        "status": "affected",
        "version": "prior to 1.19.2"
      }
    ]
  }
]