CVE-2024-38428
CVE Details
Visit the official vulnerability details page for CVE-2024-38428 to learn more.
Initial Publication
11/13/2024
Last Update
12/12/2024
Third Party Dependency
wget
NIST CVE Summary
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
CVE Severity
Our Official Summary
This is a critical severity vulnerability that affects any Wget version up to and including 1.24.5. `wget` parses URIs in a way that causes user information to be considered part of the host if it contains a semicolon. This means that the host part of the URI could be interpreted incorrectly and be abused by attackers that control the userinfo. The CVE is only exploitable when a vulnerable `wget` version is used in specific conditions. Risk of this vulnerability getting exploited in Spectro Cloud products is low. Need updates from the 3rd party vendor to fix the vulnerability.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.4.20 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|