Page 2 of 11 results (0.007 seconds)

CVSS: 9.3EPSS: 64%CPEs: 3EXPL: 2

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. Se llama a la función http.c:skip_short_body() en ciertas circunstancias, como cuando se procesan redirecciones. • https://github.com/mzeyong/CVE-2017-13089 https://github.com/r1b/CVE-2017-13089 http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f http://www.debian.org/security/2017/dsa-4008 http://www.securityfocus.com/bid/101592 http://www.securitytracker.com/id/1039661 https://access.redhat.com/errata/RHSA-2017:3075 https://security.gentoo.org/glsa/201711-06 https://www.synology.com/support/security/Synology_SA_17_62_Wget https://www.viestintavira • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •

CVSS: 9.3EPSS: 39%CPEs: 3EXPL: 0

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer. • http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba http://www.debian.org/security/2017/dsa-4008 http://www.securityfocus.com/bid/101590 http://www.securitytracker.com/id/1039661 https://access.redhat.com/errata/RHSA-2017:3075 https://security.gentoo.org/glsa/201711-06 https://www.synology.com/support/security/Synology_SA_17_62_Wget https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html https://access.redhat • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. Vulnerabilidad de inyección CRLF en la función url_parse en url.c en Wget hasta la versión 1.19.1 permite a atacantes remotos inyectar encabezados HTTP arbitrarios a través de secuencias CRLF en el subcomponente del host de una URL. • http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html http://www.securityfocus.com/bid/96877 https://security.gentoo.org/glsa/201706-16 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •

CVSS: 8.1EPSS: 3%CPEs: 1EXPL: 2

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open. Condición de carrera en wget1.17 y versiones anteriores, cuando es utilizado en modo recursivo o de reflejo para descargar un único archivo, podría permitir a servidores remotos eludir las restricciones de lista destinadas al acceso manteniendo una conexión HTTP abierta. GNU wget versions 1.17 and earlier, when used in mirroring/recursive mode, are affected by a race condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with the -A parameter. This might allow attackers to place malicious/restricted files onto the system. Depending on the application / download directory, this could potentially lead to other vulnerabilities such as code execution, etc. • https://www.exploit-db.com/exploits/40824 http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00083.html http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00134.html http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00007.html http://www.openwall.com/lists/oss-security/2016/08/27/2 http://www.securityfocus.com/bid/93157 https://lists.debian.org/debian-lts-announce/2020/01/msg00031.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 8.8EPSS: 95%CPEs: 10EXPL: 7

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. GNU wget en versiones anteriores a 1.18 permite a servidores remotos escribir archivos arbitrarios redirigiendo una petición desde HTTP a una fuente FTP manipulada. It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. GNU Wget versions prior to 1.18 suffer from an arbitrary file upload vulnerability that may allow for remote code execution. • https://www.exploit-db.com/exploits/49815 https://www.exploit-db.com/exploits/40064 https://github.com/gitcollect/CVE-2016-4971 https://github.com/mbadanoiu/CVE-2016-4971 https://github.com/dinidhu96/IT19013756_-CVE-2016-4971- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1 http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html http://lists.opensuse.org/opensuse-updates/2016-08/msg00043.html http://packetstormsecurity.com/files • CWE-73: External Control of File Name or Path •