LoginH3C Security Vulnerability - GNU Wget information leak - CVE-2018-20483
04-02-2021
【Summary】
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.
【Impact】
Computer local users can obtain sensitive information by reading file system extension properties.
【Software Versions and Fixes】
Product Name | Affected Version | Resolved Product and Version |
D2000-G | All | TBC before Jan 31,2020 |
【Temporary Fix】
None
【Revision History】
2019-12-16 V1.0 INITIAL
H3C advocates that every effort be made to safeguard the ultimate interests of product users, to abide by principles of responsible disclosure of security incidents, and to handle product security issues in accordance with security issues mechanisms. For information on H3C's security emergency response service and H3C product vulnerabilities, please visithttps://www.h3c.com/en/Support/Online_Help/psirt/.
