Page 2 of 12 results (0.004 seconds)

CVSS: 9.3EPSS: 39%CPEs: 3EXPL: 0

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer. • http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba http://www.debian.org/security/2017/dsa-4008 http://www.securityfocus.com/bid/101590 http://www.securitytracker.com/id/1039661 https://access.redhat.com/errata/RHSA-2017:3075 https://security.gentoo.org/glsa/201711-06 https://www.synology.com/support/security/Synology_SA_17_62_Wget https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html https://access.redhat • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. Vulnerabilidad de inyección CRLF en la función url_parse en url.c en Wget hasta la versión 1.19.1 permite a atacantes remotos inyectar encabezados HTTP arbitrarios a través de secuencias CRLF en el subcomponente del host de una URL. • http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html http://www.securityfocus.com/bid/96877 https://security.gentoo.org/glsa/201706-16 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •

CVSS: 8.1EPSS: 3%CPEs: 1EXPL: 2

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open. Condición de carrera en wget1.17 y versiones anteriores, cuando es utilizado en modo recursivo o de reflejo para descargar un único archivo, podría permitir a servidores remotos eludir las restricciones de lista destinadas al acceso manteniendo una conexión HTTP abierta. GNU wget versions 1.17 and earlier, when used in mirroring/recursive mode, are affected by a race condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with the -A parameter. This might allow attackers to place malicious/restricted files onto the system. Depending on the application / download directory, this could potentially lead to other vulnerabilities such as code execution, etc. • https://www.exploit-db.com/exploits/40824 http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00083.html http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00134.html http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00007.html http://www.openwall.com/lists/oss-security/2016/08/27/2 http://www.securityfocus.com/bid/93157 https://lists.debian.org/debian-lts-announce/2020/01/msg00031.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 8.8EPSS: 95%CPEs: 10EXPL: 7

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. GNU wget en versiones anteriores a 1.18 permite a servidores remotos escribir archivos arbitrarios redirigiendo una petición desde HTTP a una fuente FTP manipulada. It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. GNU Wget versions prior to 1.18 suffer from an arbitrary file upload vulnerability that may allow for remote code execution. • https://www.exploit-db.com/exploits/49815 https://www.exploit-db.com/exploits/40064 https://github.com/gitcollect/CVE-2016-4971 https://github.com/mbadanoiu/CVE-2016-4971 https://github.com/dinidhu96/IT19013756_-CVE-2016-4971- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1 http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html http://lists.opensuse.org/opensuse-updates/2016-08/msg00043.html http://packetstormsecurity.com/files • CWE-73: External Control of File Name or Path •

CVSS: 9.3EPSS: 7%CPEs: 8EXPL: 2

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. Vulnerabilidad de salto de ruta absoluta en GNU Wget anterior a 1.16, cuando la recursión esta habilitada, permite a servidores FTP remotos escribir a ficheros arbitrarios, y como consecuencia ejecutar código arbitrario, a través de una respuesta LIST que hace referencia al mismo nombre de fichero dentro de dos entradas, una de las cuales indica que el nombre de fichero es para un enlace simbólico. A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution. • http://advisories.mageia.org/MGASA-2014-0431.html http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0 http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html http://lists.opensuse.org/opensuse-updates/2014-11/msg0002 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •