CVE-2014-4877

wget: FTP symlink arbitrary filesystem access

Severity Score

9.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Vulnerabilidad de salto de ruta absoluta en GNU Wget anterior a 1.16, cuando la recursión esta habilitada, permite a servidores FTP remotos escribir a ficheros arbitrarios, y como consecuencia ejecutar código arbitrario, a través de una respuesta LIST que hace referencia al mismo nombre de fichero dentro de dos entradas, una de las cuales indica que el nombre de fichero es para un enlace simbólico.

A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-07-10 CVE Reserved
2014-10-29 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2024-10-27 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59: Improper Link Resolution Before File Access ('Link Following')

CAPEC

References (23)

URL	Tag	Source
http://advisories.mageia.org/MGASA-2014-0431.html	X_refsource_confirm
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html	X_refsource_confirm
http://www.securityfocus.com/bid/70751	Vdb Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917	X_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722	X_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10106	X_refsource_confirm

URL	Date	SRC
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access	2024-08-06
https://github.com/rapid7/metasploit-framework/pull/4088	2024-08-06

URL	Date	SRC
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0	2017-02-17
http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html	2017-02-17
http://www.kb.cert.org/vuls/id/685996	2017-02-17
https://bugzilla.redhat.com/show_bug.cgi?id=1139181	2014-12-03

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html	2017-02-17
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html	2017-02-17
http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html	2017-02-17
http://rhn.redhat.com/errata/RHSA-2014-1764.html	2017-02-17
http://rhn.redhat.com/errata/RHSA-2014-1955.html	2017-02-17
http://security.gentoo.org/glsa/glsa-201411-05.xml	2017-02-17
http://www.debian.org/security/2014/dsa-3062	2017-02-17
http://www.mandriva.com/security/advisories?name=MDVSA-2015:121	2017-02-17
http://www.ubuntu.com/usn/USN-2393-1	2017-02-17
https://access.redhat.com/security/cve/CVE-2014-4877	2014-12-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gnu Search vendor "Gnu"		Wget Search vendor "Gnu" for product "Wget"				<= 1.15 Search vendor "Gnu" for product "Wget" and version " <= 1.15"		-		Affected
Gnu Search vendor "Gnu"		Wget Search vendor "Gnu" for product "Wget"				1.12 Search vendor "Gnu" for product "Wget" and version "1.12"		-		Affected
Gnu Search vendor "Gnu"		Wget Search vendor "Gnu" for product "Wget"				1.13 Search vendor "Gnu" for product "Wget" and version "1.13"		-		Affected
Gnu Search vendor "Gnu"		Wget Search vendor "Gnu" for product "Wget"				1.13.1 Search vendor "Gnu" for product "Wget" and version "1.13.1"		-		Affected
Gnu Search vendor "Gnu"		Wget Search vendor "Gnu" for product "Wget"				1.13.2 Search vendor "Gnu" for product "Wget" and version "1.13.2"		-		Affected
Gnu Search vendor "Gnu"		Wget Search vendor "Gnu" for product "Wget"				1.13.3 Search vendor "Gnu" for product "Wget" and version "1.13.3"		-		Affected
Gnu Search vendor "Gnu"		Wget Search vendor "Gnu" for product "Wget"				1.13.4 Search vendor "Gnu" for product "Wget" and version "1.13.4"		-		Affected
Gnu Search vendor "Gnu"		Wget Search vendor "Gnu" for product "Wget"				1.14 Search vendor "Gnu" for product "Wget" and version "1.14"		-		Affected