CVE-2010-2252
wget - potential code execution
EPSS 3.8%
Description
GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
How to fix CVE-2010-2252
To remediate CVE-2010-2252, upgrade the affected package to a fixed version below.
- Debian/wget—upgrade to 1.12-2.1 or later
- —upgrade to 1.11.4-2+lenny2 or later
Is CVE-2010-2252 being exploited?
Low — EPSS is 3.8%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.12-2.1
- from 0, < 1.11.4-2+lenny2