CVE-2024-10524: 
CBL Mariner vulnerability analysis and mitigation

CVE-2024-10524 is a vulnerability discovered in GNU Wget, affecting versions up to and including 1.24.5. The vulnerability occurs when applications use Wget to access remote resources using shorthand URLs with arbitrary user credentials in the URL. This vulnerability was discovered by the JFrog Security Research Team while researching another CVE, and was disclosed in November 2024 (JFrog Blog).

The vulnerability stems from Wget's handling of shorthand URL formats, particularly when processing HTTP shorthand formats with user-provided input. When a URL contains specific crafted credentials, Wget might incorrectly issue an FTP request to a different host instead of the intended HTTP request. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L and is classified as CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability can lead to various types of attacks including phishing, Server-Side Request Forgery (SSRF), and Man-in-the-Middle (MiTM). These attacks can result in resource restriction bypass and sensitive information exposure. An attacker could potentially redirect requests to arbitrary hosts, including those that should be inaccessible to the user (JFrog Blog).

The vulnerability has been fixed in Wget version 1.25.0, released on November 11, 2024. The fix completely removes support for shorthand URL formats for both HTTP and FTP. Users are recommended to upgrade to version 1.25.0. As a workaround, users can convert all shorthand HTTP requests to their full format by explicitly using 'http://' or 'https://' in the URL (Wget Commit).