Path traversal in GNU wget



| Updated: 2020-07-28
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2014-4877
CWE-ID CWE-22
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
 wget
Server applications / File servers (FTP/HTTP)

Vendor GNU

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Path traversal

EUVDB-ID: #VU32477

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2014-4877

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Mitigation

Install update from vendor's website.

Vulnerable software versions

wget: 1.5.3 - 1.15

CPE2.3 External links

https://advisories.mageia.org/MGASA-2014-0431.html
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0
https://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
https://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html
https://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html
https://rhn.redhat.com/errata/RHSA-2014-1764.html
https://rhn.redhat.com/errata/RHSA-2014-1955.html
https://security.gentoo.org/glsa/glsa-201411-05.xml
https://www.debian.org/security/2014/dsa-3062
https://www.kb.cert.org/vuls/id/685996
https://www.mandriva.com/security/advisories?name=MDVSA-2015:121
https://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
https://www.securityfocus.com/bid/70751
https://www.ubuntu.com/usn/USN-2393-1
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
https://github.com/rapid7/metasploit-framework/pull/4088
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://kc.mcafee.com/corporate/index?page=content&id=SB10106


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.



###SIDEBAR###