CVE-2021-31879 Overview
CVE-2021-31879 is an Open Redirect / Information Exposure vulnerability affecting GNU Wget through version 1.21.1. The vulnerability occurs because Wget does not omit the Authorization header upon a redirect to a different origin. This means that when a user is redirected from one domain to another, sensitive authentication credentials are transmitted to the destination server, potentially exposing them to malicious actors. This issue is related to CVE-2018-1000007.
Critical Impact
Authentication credentials may be leaked to untrusted third-party servers when following HTTP redirects, enabling credential theft and potential unauthorized access to protected resources.
Affected Products
- GNU Wget (through version 1.21.1)
- Broadcom Brocade Fabric Operating System Firmware
- NetApp Cloud Backup
- NetApp ONTAP Select Deploy Administration Utility
- NetApp A250 Firmware
- NetApp 500F Firmware
Discovery Timeline
- 2021-02 - Vulnerability reported via GNU Wget Bug Report
- 2021-04-29 - CVE CVE-2021-31879 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-31879
Vulnerability Analysis
This vulnerability falls under CWE-601 (URL Redirection to Untrusted Site). The core issue stems from Wget's handling of HTTP redirects when authentication headers are present. When a user initiates a request to a protected resource with an Authorization header, Wget will follow any HTTP redirects (3xx responses) received from the server. The vulnerability manifests because Wget fails to strip the Authorization header when the redirect target is on a different origin than the original request.
This behavior violates the principle that authentication credentials should be scoped to specific origins. An attacker controlling a malicious server or capable of performing a man-in-the-middle attack could craft a redirect response that sends the user's credentials to an attacker-controlled server.
Root Cause
The root cause lies in the redirect handling logic within GNU Wget. When processing HTTP 3xx redirect responses, Wget preserves all request headers including the sensitive Authorization header across origin boundaries. The implementation lacks the necessary origin validation check that would strip authentication credentials when the redirect target domain differs from the original request domain.
Attack Vector
The attack requires user interaction where an attacker must either:
- Control a server that the victim connects to with authentication credentials, allowing the attacker to redirect the request to their malicious endpoint
- Perform a man-in-the-middle attack to inject malicious redirect responses into legitimate traffic
The attack flow involves:
- Victim initiates an authenticated Wget request to a resource
- The target server (or MITM attacker) responds with an HTTP redirect to a different origin
- Wget follows the redirect, carrying the Authorization header to the new destination
- The malicious destination captures the authentication credentials
This vulnerability is exploited over the network and requires the victim to initiate the request, making social engineering a potential component of real-world attacks. The credentials obtained could include Basic Authentication credentials, Bearer tokens, or other HTTP authentication mechanisms.
Detection Methods for CVE-2021-31879
Indicators of Compromise
- Unexpected outbound connections to unfamiliar domains following Wget requests
- Authorization headers appearing in logs for domains where no authentication should occur
- Network traffic showing redirect chains that cross security boundaries
- Authentication tokens or credentials appearing in third-party server logs
Detection Strategies
- Monitor network traffic for HTTP redirects that carry Authorization headers to different origins
- Implement network egress filtering to detect credential leakage patterns
- Review Wget command-line usage across systems for potentially vulnerable configurations
- Deploy intrusion detection rules to identify redirect chains involving authentication headers
Monitoring Recommendations
- Enable verbose logging for Wget operations in automated scripts and cron jobs
- Monitor for anomalous redirect patterns in proxy logs and network traffic analysis tools
- Implement alerting on authentication header transmission to unexpected destinations
- Conduct periodic audits of systems running affected Wget versions
How to Mitigate CVE-2021-31879
Immediate Actions Required
- Upgrade GNU Wget to a patched version that properly handles Authorization headers during redirects
- Audit all scripts and automated processes that use Wget with authentication
- Consider using the --max-redirect=0 flag to disable redirect following when not required
- Implement network controls to restrict outbound connections from systems using authenticated Wget
Patch Information
Refer to the GNU Wget Bug Report for official patch information. Additionally, NetApp has released guidance via their NetApp Security Advisory for affected NetApp products. Users should update to the latest available version of GNU Wget from their distribution repositories or compile from source with the appropriate patches applied.
Workarounds
- Disable automatic redirect following by using --max-redirect=0 when authentication is required
- Use alternative HTTP clients that properly handle credential scoping across origins
- Implement proxy-based filtering to strip Authorization headers on cross-origin redirects
- Avoid using HTTP authentication with Wget when possible; consider alternative authentication mechanisms
# Disable redirect following to prevent credential leakage
wget --max-redirect=0 --auth-no-challenge https://example.com/protected-resource
# Alternative: Use curl with proper credential handling
curl --location --proto-redir https https://example.com/protected-resource
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
