PT-2014-1930 · Gnu+5 · Gnu Wget+5

Hdm

Published

2014-10-28

Updated

2024-06-15

CVE-2014-4877

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions GNU Wget versions prior to 1.16

Description The issue allows remote FTP servers to write to arbitrary files and execute arbitrary code when recursion is enabled, through a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation can be carried out remotely.

Recommendations For GNU Wget versions prior to 1.16, consider disabling recursion to minimize the risk of exploitation until a patch is available. Restrict access to arbitrary files to prevent potential code execution.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2014-2303

ALT-PU-2015-1257

BDU:2015-09791

CESA-2014_1764

CVE-2014-4877

DLA-82-1

DSA-3062-1

MGASA-2014-0431

OPENSUSE-SU-2024:10263-1

RHSA-2014:1764

RHSA-2014:1955

RHSA-2014_1764

SUSE-SU-2014_1366-1

SUSE-SU-2014_1366-2

SUSE-SU-2014_1408-1

SUSE-SU-2014_1464-1

USN-2393-1

Affected Products

Alt Linux

Centos

Gnu Wget

Red Hat

Suse

Ubuntu

PT-2014-1930 · Gnu+5 · Gnu Wget+5

CVE-2014-4877

Weakness Enumeration

Related Identifiers

Affected Products

References · 43