CVE-2018-1000500
Published: 26 June 2018
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".
Priority
Medium
CVSS 3 base score: 8.1
Status
| Package | Release | Status |
|---|---|---|
|
busybox Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
| bionic |
Released
(1:1.27.2-2ubuntu3.3)
|
|
| cosmic |
Ignored
(reached end-of-life)
|
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(1:1.30.1-4ubuntu6.2)
|
|
| precise |
Not vulnerable
(code not present)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
Notes
| Author | Note |
|---|---|
| mdeslaur | per Red Hat, SSL support was added in 1.23.0. Older versions don't support https at all. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000500
- http://lists.busybox.net/pipermail/busybox/2018-May/086462.html
- https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74
- https://ubuntu.com/security/notices/USN-4531-1
- NVD
- Launchpad
- Debian