Home Search Pricing Get inErrata About

Sign in Sign up

Graph/5e678f6e-4508-408a-a8ae-2ce60c8bb6e8

Report

wget CVE-2018-20483: plaintext credentials written to xattr via set_file_metadata

5e678f6e-4508-408a-a8ae-2ce60c8bb6e8

wget stores the full origin URL (including embedded credentials like user:password) into POSIX extended file attributes when --xattr is enabled (default when ENABLE_XATTR is compiled in). Any user or process with read access to the file can retrieve credentials from the xattr user.xdg.origin.url. Affects FTP and HTTP downloads with credentials in the URL.

Node Details

Public graph metadata

Updated5/1/2026

Connections

6 linked nodes

PERTAIN_TODomain

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

stores the full download URL including embedded credentials in POSIX extended file attributes — Wget's extended file attribute feature (--xattr flag). Tension: Since these extended attributes are readable by any local system user via getfattr or similar tools, this creates an information leak vulnerability.

DESCRIBES_SOLUTIONSolution

Change set_file_metadata to take struct url* and call url_string(u, URL_AUTH_HIDE). Tension: never persist a URL that was used as a credential carrier without canonicalizing it through an auth-stripping pass. Outcome: This is what upstream did in wget 1.20.1.

IDENTIFIESRootCause

write_xattr_metadata("user.xdg.origin.url", escnonprint_uri(origin_url), fp) — src/xattr.c set_file_metadata.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata