CVE-2016-4971
GNU Wget < 1.18 - Arbitrary File Upload
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
9
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
GNU wget en versiones anteriores a 1.18 permite a servidores remotos escribir archivos arbitrarios redirigiendo una peticiĆ³n desde HTTP a una fuente FTP manipulada.
It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.
The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix: It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2016-05-24 CVE Reserved
- 2016-06-21 CVE Published
- 2016-06-24 First Exploit
- 2024-08-06 CVE Updated
- 2025-07-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-73: External Control of File Name or Path
CAPEC
References (20)
| URL | Tag | Source |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html | Third Party Advisory |
|
| http://www.securityfocus.com/bid/91530 | Third Party Advisory | |
| http://www.securitytracker.com/id/1036133 | Third Party Advisory | |
| https://security.paloaltonetworks.com/CVE-2016-4971 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/162395 | 2021-04-30 | |
| https://packetstorm.news/files/id/137795 | 2016-07-06 | |
| https://www.exploit-db.com/exploits/49815 | 2021-10-29 | |
| https://www.exploit-db.com/exploits/40064 | 2024-08-06 | |
| https://github.com/gitcollect/CVE-2016-4971 | 2016-06-24 | |
| https://github.com/mbadanoiu/CVE-2016-4971 | 2019-01-05 | |
| https://github.com/dinidhu96/IT19013756_-CVE-2016-4971- | 2020-05-12 | |
| http://packetstormsecurity.com/files/162395/GNU-wget-Arbitrary-File-Upload-Code-Execution.html | 2024-08-06 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1343666 | 2024-08-06 |
| URL | Date | SRC |
|---|---|---|
| http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1 | 2023-02-12 | |
| http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html | 2023-02-12 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2016-08/msg00043.html | 2023-02-12 | |
| http://rhn.redhat.com/errata/RHSA-2016-2587.html | 2023-02-12 | |
| http://www.ubuntu.com/usn/USN-3012-1 | 2023-02-12 | |
| https://security.gentoo.org/glsa/201610-11 | 2023-02-12 | |
| https://access.redhat.com/security/cve/CVE-2016-4971 | 2016-11-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gnu Search vendor "Gnu" | Wget Search vendor "Gnu" for product "Wget" | < 1.18 Search vendor "Gnu" for product "Wget" and version " < 1.18" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | esm |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | esm |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Solaris Search vendor "Oracle" for product "Solaris" | 10 Search vendor "Oracle" for product "Solaris" and version "10" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Solaris Search vendor "Oracle" for product "Solaris" | 11.3 Search vendor "Oracle" for product "Solaris" and version "11.3" | - |
Affected
| ||||||
| Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 6.1.0 <= 6.1.16 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 6.1.0 <= 6.1.16" | - |
Affected
| ||||||
| Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 7.0.0 <= 7.0.14 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 7.0.0 <= 7.0.14" | - |
Affected
| ||||||
| Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 7.1.0 <= 7.1.9 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 7.1.0 <= 7.1.9" | - |
Affected
| ||||||