SB2019010307 - Information disclosure in wget (Alpine package)
Published: January 3, 2019
Security Bulletin ID
SB2019010307
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2018-20483)
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to set_file_metadata in xattr.c stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file. A local attacker can read this attribute, as demonstrated by getfattr and obtain credentials contained in the URL.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=d7d8dcb792fc6267eccd6cfce264b8e7ed020aa1
- https://git.alpinelinux.org/aports/commit/?id=1eabf36322e007ecbef28fe8ab5e63e005e82418
- https://git.alpinelinux.org/aports/commit/?id=6e27d28b6778dcd71322151001e78bac5926ef29
- https://git.alpinelinux.org/aports/commit/?id=957b8a20940b7a5744fd50c1ea86a7b82705ec90
- https://git.alpinelinux.org/aports/commit/?id=e6404a21b246558e15ba90e0a54011392d26c497