Vulnerability CVE-2018-20483

Vulnerability Name:

CVE-2018-20483 (CCN-154793)

Assigned:

2018-12-26

Published:

2018-12-26

Updated:

2020-08-24

Summary:

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
4.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2018-20483

Source: MISC
Type: Release Notes, Third Party Advisory
http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS

Source: BID
Type: Third Party Advisory, VDB Entry
106358

Source: REDHAT
Type: UNKNOWN
RHSA-2019:3701

Source: XF
Type: UNKNOWN
gnuwget-cve201820483-info-disc(154793)

Source: GENTOO
Type: Third Party Advisory
GLSA-201903-08

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20190321-0002/

Source: MISC
Type: Exploit, Third Party Advisory
https://twitter.com/marcan42/status/1077676739877232640

Source: UBUNTU
Type: UNKNOWN
USN-3943-1

Source: CCN
Type: GNU Web site
Wget

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6575489 (Watson Speech Services Cartridge for Cloud Pak for Data)
A vulnerability in 'GNU Wget' affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2018-20483)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-20483

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnu:wget:*:*:*:*:*:*:*:* (Version < 1.20.1)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnu:wget:1.19.5:*:*:*:*:*:*:*

AND

cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201820483	V	CVE-2018-20483	2023-06-22
oval:org.opensuse.security:def:7827	P	wget-1.20.3-150000.3.15.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:586	P	Security update for dovecot23 (Important)	2022-07-20
oval:org.opensuse.security:def:3220	P	libopenjp2-7-2.1.0-4.12.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94850	P	wget-1.20.3-3.12.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:912	P	Security update for grub2 (Important)	2022-06-13
oval:org.opensuse.security:def:330	P	wget-1.20.3-3.9.2 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:384	P	wget-1.20.3-3.12.1 on GA media (Moderate)	2022-06-10
oval:org.opensuse.security:def:113582	P	wget-1.21.1-2.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:100681	P	(Moderate)	2021-11-16
oval:org.opensuse.security:def:1489	P	Security update for binutils (Moderate)	2021-11-04
oval:org.opensuse.security:def:106968	P	wget-1.21.1-2.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:49299	P	Security update for python-urllib3 (Moderate)	2021-09-29
oval:org.opensuse.security:def:96795	P	wget-1.19.5-3.6.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:89830	P	wget-1.19.5-3.6.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:2127	P	librelp-devel-1.2.15-1.15 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:61675	P	wget-1.19.5-3.6.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71416	P	wget-1.19.5-3.6.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71186	P	gc-devel-7.6.4-1.16 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:103485	P	wget-1.19.5-3.6.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:1259	P	Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP3) (Important)	2021-08-17
oval:org.opensuse.security:def:47568	P	bluez-5.13-5.4.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48007	P	flatpak-1.4.2-1.31 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47808	P	libvpx1-1.3.0-3.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48142	P	libldb1-1.5.4-1.28 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47107	P	mutt-1.6.0-54.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48106	P	libecpg6-10.10-1.15.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47122	P	perl-32bit-5.18.2-11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48233	P	libzip2-0.11.1-13.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47436	P	libxslt-tools-1.1.28-16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48006	P	file-5.22-10.12.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47660	P	lcms2-2.7-9.7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48021	P	glibc-2.22-100.15.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48022	P	gnome-keyring-3.20.0-28.3.18 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48335	P	vorbis-tools-1.4.0-26.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47108	P	ntp-4.2.8p8-14.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48168	P	libpcap1-1.8.1-10.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47243	P	dovecot22-2.2.30.2-14.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48264	P	perl-Config-IniFiles-2.82-3.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:62348	P	wget-1.20.3-3.9.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72089	P	wget-1.20.3-3.9.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101106	P	wget-1.20.3-3.9.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:69899	P	Security update for qemu (Important)	2021-08-02
oval:org.opensuse.security:def:48467	P	libXfont1-1.5.1-10.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48707	P	telepathy-idle-0.2.0-1.62 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:71073	P	perl-LWP-Protocol-https-6.06-1.24 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48559	P	libthai-data-0.1.25-4.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48921	P	libcares2-32bit-1.9.1-9.4.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64486	P	Security update for permissions (Important)	2021-05-04
oval:org.opensuse.security:def:70004	P	Security update for python (Moderate)	2021-03-11
oval:org.opensuse.security:def:93968	P	(Moderate)	2021-01-29
oval:org.opensuse.security:def:67733	P	Security update for the Linux Kernel (Live Patch 18 for SLE 15) (Important)	2020-12-07
oval:org.opensuse.security:def:71742	P	wget-1.20.3-3.9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107347	P	wget-1.20.3-3.9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49027	P	libpcsclite1-32bit-1.8.10-7.6.3 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49005	P	libSoundTouch0-32bit-1.7.1-5.11.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:116905	P	wget-1.20.3-3.9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:48973	P	PackageKit-gstreamer-plugin-1.1.3-24.9.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62001	P	wget-1.20.3-3.9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:50564	P	Security update for wget (Important)	2020-12-01
oval:org.opensuse.security:def:66556	P	libxcb-composite0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73221	P	libsolv-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49067	P	clamav on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73339	P	wget on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49163	P	libcroco on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50510	P	Security update for libidn2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:49234	P	libsnmp30 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:66648	P	wget on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49132	P	less on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49353	P	wget on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64399	P	libvmtools-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67833	P	wget on GA media (Moderate)	2020-12-01
oval:com.redhat.rhsa:def:20193701	P	RHSA-2019:3701: curl security and bug fix update (Moderate)	2019-11-05
oval:com.ubuntu.xenial:def:2018204830000000	V	CVE-2018-20483 on Ubuntu 16.04 LTS (xenial) - low.	2018-12-26
oval:com.ubuntu.bionic:def:201820483000	V	CVE-2018-20483 on Ubuntu 18.04 LTS (bionic) - low.	2018-12-26
oval:com.ubuntu.cosmic:def:201820483000	V	CVE-2018-20483 on Ubuntu 18.10 (cosmic) - low.	2018-12-26
oval:com.ubuntu.cosmic:def:2018204830000000	V	CVE-2018-20483 on Ubuntu 18.10 (cosmic) - low.	2018-12-26
oval:com.ubuntu.trusty:def:201820483000	V	CVE-2018-20483 on Ubuntu 14.04 LTS (trusty) - low.	2018-12-26
oval:com.ubuntu.bionic:def:2018204830000000	V	CVE-2018-20483 on Ubuntu 18.04 LTS (bionic) - low.	2018-12-26
oval:com.ubuntu.xenial:def:201820483000	V	CVE-2018-20483 on Ubuntu 16.04 LTS (xenial) - low.	2018-12-26

BACK