Vulmon
# Exploit Title: Metadata and potential password leak in aria2
# Date: 2019-01-02
# Exploit Author: Dhiraj Mishra
# Software Link: https://github.com/aria2/aria2
# Version: aria2 1.33.1
# Tested on: Linux 4.15.0-38-generic
# CVE: CVE-2019-3500
## Summary
aria2 is a lightweight multi-protocol command-line utility, which leaks
data or potential password via `--log=` attribute for HTTP based
authentication which might allow local attackers to obtain sensitive
information.
It was observed that URL's which gets downloaded via `--log=` attribute
storeas sensitive information.
Example: aria2c --log=file https://user:passwd@example.com/
Thank you
--
Regards
*Dhiraj Mishra.*GPG ID : 51720F56 | Finger Print : 1F6A FC7B 05AA CF29
8C1C ED65 3233 4D18 5172 0F56
<p>