CVE-2017-6508

Published: 7 March 2017

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.

Priority

CVSS 3 base score: 6.1

Status

Package	Release	Status
wget Launchpad, Ubuntu, Debian	artful	Released (1.19.1-3ubuntu1.1)
	precise	Released (1.13.4-2ubuntu1.5)
	trusty	Released (1.15-1ubuntu1.14.04.3)
	upstream	Needed
	xenial	Released (1.17.1-1ubuntu1.3)
	yakkety	Ignored (reached end-of-life)
	zesty	Released (1.18-2ubuntu1.1)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
https://ubuntu.com/security/notices/USN-3464-1
https://ubuntu.com/security/notices/USN-3464-2
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857073

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›