CVSS: 9.3EPSS: 64%CPEs: 3EXPL: 2CVE-2017-13089 – GNU Wget: stack overflow in HTTP protocol handling
https://notcve.org/view.php?id=CVE-2017-13089
The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. Se llama a la función http.c:skip_short_body() en ciertas circunstancias, como cuando se procesan redirecciones. • https://github.com/mzeyong/CVE-2017-13089 https://github.com/r1b/CVE-2017-13089 http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f http://www.debian.org/security/2017/dsa-4008 http://www.securityfocus.com/bid/101592 http://www.securitytracker.com/id/1039661 https://access.redhat.com/errata/RHSA-2017:3075 https://security.gentoo.org/glsa/201711-06 https://www.synology.com/support/security/Synology_SA_17_62_Wget https://www.viestintavira • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6508
https://notcve.org/view.php?id=CVE-2017-6508
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. Vulnerabilidad de inyección CRLF en la función url_parse en url.c en Wget hasta la versión 1.19.1 permite a atacantes remotos inyectar encabezados HTTP arbitrarios a través de secuencias CRLF en el subcomponente del host de una URL. • http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html http://www.securityfocus.com/bid/96877 https://security.gentoo.org/glsa/201706-16 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 8.1EPSS: 3%CPEs: 1EXPL: 2CVE-2016-7098 – GNU Wget < 1.18 - Access List Bypass / Race Condition
https://notcve.org/view.php?id=CVE-2016-7098
Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open. Condición de carrera en wget1.17 y versiones anteriores, cuando es utilizado en modo recursivo o de reflejo para descargar un único archivo, podría permitir a servidores remotos eludir las restricciones de lista destinadas al acceso manteniendo una conexión HTTP abierta. GNU wget versions 1.17 and earlier, when used in mirroring/recursive mode, are affected by a race condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with the -A parameter. This might allow attackers to place malicious/restricted files onto the system. Depending on the application / download directory, this could potentially lead to other vulnerabilities such as code execution, etc. • https://www.exploit-db.com/exploits/40824 http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00083.html http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00134.html http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00007.html http://www.openwall.com/lists/oss-security/2016/08/27/2 http://www.securityfocus.com/bid/93157 https://lists.debian.org/debian-lts-announce/2020/01/msg00031.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.8EPSS: 95%CPEs: 10EXPL: 7CVE-2016-4971 – GNU Wget < 1.18 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2016-4971
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. GNU wget en versiones anteriores a 1.18 permite a servidores remotos escribir archivos arbitrarios redirigiendo una petición desde HTTP a una fuente FTP manipulada. It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. GNU Wget versions prior to 1.18 suffer from an arbitrary file upload vulnerability that may allow for remote code execution. • https://www.exploit-db.com/exploits/49815 https://www.exploit-db.com/exploits/40064 https://github.com/gitcollect/CVE-2016-4971 https://github.com/mbadanoiu/CVE-2016-4971 https://github.com/dinidhu96/IT19013756_-CVE-2016-4971- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1 http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html http://lists.opensuse.org/opensuse-updates/2016-08/msg00043.html http://packetstormsecurity.com/files • CWE-73: External Control of File Name or Path •
CVSS: 9.3EPSS: 7%CPEs: 8EXPL: 2CVE-2014-4877 – wget: FTP symlink arbitrary filesystem access
https://notcve.org/view.php?id=CVE-2014-4877
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. Vulnerabilidad de salto de ruta absoluta en GNU Wget anterior a 1.16, cuando la recursión esta habilitada, permite a servidores FTP remotos escribir a ficheros arbitrarios, y como consecuencia ejecutar código arbitrario, a través de una respuesta LIST que hace referencia al mismo nombre de fichero dentro de dos entradas, una de las cuales indica que el nombre de fichero es para un enlace simbólico. A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution. • http://advisories.mageia.org/MGASA-2014-0431.html http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0 http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html http://lists.opensuse.org/opensuse-updates/2014-11/msg0002 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •