CVE-2018-1000500

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".

CVSS v3.0 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.busybox.net/pipermail/busybox/2018-May/086462.html	Mailing List Vendor Advisory
https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91	Patch Vendor Advisory
https://usn.ubuntu.com/4531-1/

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*

Information

Published : 2018-06-26 09:29

Updated : 2020-09-24 13:15

NVD link : CVE-2018-1000500

Mitre link : CVE-2018-1000500

JSON object : View

CWE

CWE-295

Improper Certificate Validation

Advertisement

Products Affected

busybox

busybox

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://lists.busybox.net/pipermail/busybox/2018-May/086462.html", "name": "http://lists.busybox.net/pipermail/busybox/2018-May/086462.html", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91", "name": "https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://usn.ubuntu.com/4531-1/", "name": "USN-4531-1", "tags": [], "refsource": "UBUNTU"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\"."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-295"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2018-1000500", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}}, "publishedDate": "2018-06-26T16:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.32.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2020-09-24T20:15Z"}