aria2 leaks passwords for HTTP based authentication

[Dhiraj Mishra <mishra.dhiraj95 () gmail com>]

Hi List,


aria2 is a lightweight multi-protocol command-line utility which leaks data
or potential password via `--log=` attribute for HTTP based authentication
which might allow local attackers to obtain sensitive information. This
issue is somewhat similar to (2019/01/01/1).


It was observed that URL's which gets downloaded via `--log=` attribute
store’s sensitive information.

Example: aria2c --log=file https://user:passwd () example com/


Later CVE-2019-3500 was assigned to this.




Thank you

@mishradhiraj_