| Name | CVE-2018-1000500 |
| Description | Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| busybox (PTS) | jessie, jessie (lts) | 1:1.22.0-9+deb8u5 | vulnerable |
| stretch (security), stretch (lts), stretch | 1:1.22.0-19+deb9u2 | vulnerable |
| buster | 1:1.30.1-4 | vulnerable |
| bullseye | 1:1.30.1-6 | vulnerable |
| bookworm | 1:1.35.0-4 | vulnerable |
| sid, trixie | 1:1.37.0-4 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| busybox | source | (unstable) | (unfixed) | unimportant | | |
Notes
Intentional design decision:
https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74
https://git.busybox.net/busybox/commit/networking/wget.c?id=0972c7f7a570c38edb68e1c60a45614b7a7c7d55
Starting with 1:1.27.2-3 in unstable wget emmits a message that certificate
verification is not implemented.