Bug 1663991 (CVE-2019-3500) - CVE-2019-3500 aria2: Password leak for HTTP based authentication
Summary: CVE-2019-3500 aria2: Password leak for HTTP based authentication
Status: NEW
Alias: CVE-2019-3500
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190101,repor...
Keywords: Security
Depends On: 1663992 1663993
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-07 13:37 UTC by Andrej Nemec
Modified: 2019-01-07 13:38 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2019-01-07 13:37:46 UTC
aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file.

Upstream issue:

https://github.com/aria2/aria2/issues/1329

Upstream patch:

https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a

References:

https://seclists.org/oss-sec/2019/q1/13

Comment 1 Andrej Nemec 2019-01-07 13:38:07 UTC
Created aria2 tracking bugs for this issue:

Affects: epel-7 [bug 1663993]
Affects: fedora-all [bug 1663992]


Note You need to log in before you can comment on or make changes to this bug.