Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

aria2 1.33.1 Password Disclosure

🗓️ 02 Jan 2019 00:00:00Reported by Mishra DhirajType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 262 Views

aria2 1.33.1 Password Disclosure. Lightweight multi-protocol utility leaks potential password via `--log=` attribute for HTTP based authentication, allowing local attackers to obtain sensitive information

Related
Code
ReporterTitlePublishedViews
Family
AlpineLinux		CVE-2019-3500
2 Jan 201907:00
alpinelinux
CVE		CVE-2019-3500
2 Jan 201907:00
cve
Cvelist		CVE-2019-3500
2 Jan 201907:00
cvelist
Debian		[SECURITY] [DLA 1636-1] aria2 security update
22 Jan 201907:43
debian
Debian		[SECURITY] [DLA 2873-1] aria2 security update
30 Dec 202122:50
debian
Debian CVE		CVE-2019-3500
2 Jan 201907:00
debiancve
Tenable Nessus		Debian DLA-1636-1 : aria2 security update
23 Jan 201900:00
nessus
Tenable Nessus		Debian DLA-2873-1 : aria2 - LTS security update
30 Dec 202100:00
nessus
Tenable Nessus		Fedora 30 : aria2 (2019-248ad990b4)
2 May 201900:00
nessus
Tenable Nessus		openSUSE Security Update : aria2 (openSUSE-2019-50)
14 Jan 201900:00
nessus
Rows per page
`# Exploit Title: Metadata and potential password leak in aria2  
# Date: 2019-01-02  
# Exploit Author: Dhiraj Mishra  
# Software Link: https://github.com/aria2/aria2  
# Version: aria2 1.33.1  
# Tested on: Linux 4.15.0-38-generic  
# CVE: CVE-2019-3500  
  
## Summary  
aria2 is a lightweight multi-protocol command-line utility, which leaks  
data or potential password via `--log=` attribute for HTTP based  
authentication which might allow local attackers to obtain sensitive  
information.  
  
It was observed that URL's which gets downloaded via `--log=` attribute  
storeas sensitive information.  
Example: aria2c --log=file https://user:[email protected]/  
  
  
Thank you  
  
--   
Regards  
  
*Dhiraj Mishra.*GPG ID : 51720F56 | Finger Print : 1F6A FC7B 05AA CF29  
8C1C ED65 3233 4D18 5172 0F56  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jan 2019 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.0011
aria2password disclosurehttp authentication
262