SB2017040519 - CRLF injection in wget (Alpine package)
Published: April 5, 2017
Security Bulletin ID
SB2017040519
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) CRLF injection (CVE-ID: CVE-2017-6508)
The vulnerability allows a remote attacker to perform content spoofing attack.The vulnerability exists due to an error in the url_parse() function in url.c in Wget through 1.19.1. A remote attacker can inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL and spoof contents of the targeted website.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e6404a21b246558e15ba90e0a54011392d26c497
- https://git.alpinelinux.org/aports/commit/?id=06efc389600960466f2d0f27de63ab5984f00518
- https://git.alpinelinux.org/aports/commit/?id=ef64d3c2ab9ef38db387a7198c2ea6adccc6f495
- https://git.alpinelinux.org/aports/commit/?id=8f9f3fbfeb53b7405b21e4a23421a5de45ce875d
- https://git.alpinelinux.org/aports/commit/?id=1fad1bf1cfcddcfc16bc85cdb44d799cac0e1ce7
- https://git.alpinelinux.org/aports/commit/?id=5466e2e8d58f16242930f6c33e85870504de9484
- https://git.alpinelinux.org/aports/commit/?id=f7f6608654e72f3668bff5ab52c6ed860eb70bc9
- https://git.alpinelinux.org/aports/commit/?id=97dcdf29f51bc07e977e4ab3e5fc560abb2ab44e
- https://git.alpinelinux.org/aports/commit/?id=9f177455113c2bf607ea10bd8633b718a946309d