CVE-2018-1000500

Published: 26 June 2018

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
busybox
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla)
Released (1:1.30.1-4ubuntu9)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:1.30.1-4ubuntu6.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:1.27.2-2ubuntu3.3)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Ubuntu 12.04 ESM (Precise Pangolin) Not vulnerable
(code not present)
Patches:
Upstream: https://git.busybox.net/busybox/commit/?id=0972c7f7a570c38edb68e1c60a45614b7a7c7d55
Upstream: https://git.busybox.net/busybox/commit/?id=dbe95682b4bf1192d2860646617f157e6c44f2d1
Upstream: https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91