# Exploit Title: Metadata and potential password leak in aria2
# Date: 2019-01-02
# Exploit Author: Dhiraj Mishra
# Software Link: https://github.com/aria2/aria2
# Version: aria2 1.33.1
# Tested on: Linux 4.15.0-38-generic
# CVE: CVE-2019-3500

## Summary
aria2 is a lightweight multi-protocol command-line utility, which leaks
data or potential password via `--log=` attribute for HTTP based
authentication which might allow local attackers to obtain sensitive
information.

It was observed that URL's which gets downloaded via `--log=` attribute
storeas sensitive information.
Example: aria2c --log=file https://user:passwd@example.com/


Thank you

-- 
Regards

*Dhiraj Mishra.*GPG ID :  51720F56   |  Finger Print : 1F6A FC7B 05AA CF29
8C1C  ED65 3233 4D18 5172 0F56