CVE-2024-38428: 
NixOS vulnerability analysis and mitigation

CVE-2024-38428 affects GNU Wget through version 1.24.5, where the software incorrectly handles semicolons in the userinfo subcomponent of a URI. The vulnerability was discovered in June 2024 and affects all versions of Wget up to and including 1.24.5. The issue lies in the url.c file, which mishandles semicolons in the userinfo part of URLs, potentially causing data intended for the userinfo subcomponent to be misinterpreted as part of the host subcomponent (JFrog Blog, NVD).

The vulnerability stems from an implementation flaw in the urlskipcredentials() function within url.c. According to RFC 2396, semicolons are allowed in the userinfo segment of a URI, but Wget's implementation incorrectly treats semicolons as URL terminators. This causes the parser to misinterpret the URI structure when semicolons are present in the userinfo component. The vulnerability has been assigned a CVSS v3.1 score of 9.1 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (JFrog Blog, NVD).

The vulnerability can lead to several severe security implications. When exploited, it can result in DNS queries being sent to incorrect or potentially malicious domains. This can lead to resource restriction bypass, sensitive information exposure, and in some cases, remote code execution. The impact is particularly severe when Wget is used with FTP or FTPS URLs, where the attacker can completely replace the hostname that Wget connects to (JFrog Blog).

While no official fixed version was available at the time of initial disclosure, several Linux distributions including Red Hat, Ubuntu, Debian, and SUSE have published fixed versions of Wget. For systems without access to these patches, the vulnerability can be mitigated by either preventing semicolons in the userinfo part of URIs or by disallowing user-provided data in the userinfo component (JFrog Blog, Ubuntu).