CVE-2014-4877

CWE-22Path TraversalCWE-599 documents8 sources
Severity
9.3CRITICAL
EPSS
74.3%
top 1.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Wget
Timeline
PublishedOct 29
Latest updateMay 17

Description

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

Debianwget< 1.16-1+3
NVDgnu/wget1.15+7

Patches

Patch: git.savannah.gnu.orgPatch: lists.gnu.orgPatch: www.kb.cert.org

🔴Vulnerability Details

3
GHSA
GHSA-p2w7-gcfj-5p55: Absolute path traversal vulnerability in GNU Wget before 12022-05-17
CVEList
CVE-2014-4877: Absolute path traversal vulnerability in GNU Wget before 12014-10-29
OSV
CVE-2014-4877: Absolute path traversal vulnerability in GNU Wget before 12014-10-29

📋Vendor Advisories

3
Ubuntu
Wget vulnerability2014-10-30
Red Hat
wget: FTP symlink arbitrary filesystem access2014-10-27
Debian
CVE-2014-4877: wget - Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is...2014

💬Community

2
Bugzilla
CVE-2014-4877 wget: FTP symlink arbitrary filesystem access [fedora-all]2014-10-27
Bugzilla
CVE-2014-4877 wget: FTP symlink arbitrary filesystem access2014-09-08