Lucene search

Veracode Vulnerability DatabaseVERACODE:11477

HistoryJan 15, 2019 - 9:02 a.m.

Remote Code Execution (RCE)

2019-01-1509:02:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.078 Low

EPSS

Percentile

94.2%

JSON

wget is vulnerable to remote code execution (RCE) attacks. The vulnerability exists as an absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

CPENameOperatorVersion
wgeteq1.12__1.4.el6
wgeteq1.12__1.8.el6
wgeteq1.12__1.12.el6_5
wgeteq1.12__1.11.el6_5

Name	Operator	Version
wget	eq	1.12__1.4.el6
wget	eq	1.12__1.8.el6
wget	eq	1.12__1.12.el6_5
wget	eq	1.12__1.11.el6_5

References

advisories.mageia.org/MGASA-2014-0431.html

git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7

git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0

lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html

lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html

lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html

lists.opensuse.org/opensuse-updates/2014-11/msg00026.html

rhn.redhat.com/errata/RHSA-2014-1764.html

rhn.redhat.com/errata/RHSA-2014-1955.html

security.gentoo.org/glsa/glsa-201411-05.xml

www.debian.org/security/2014/dsa-3062

www.kb.cert.org/vuls/id/685996

www.mandriva.com/security/advisories?name=MDVSA-2015:121

www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

www.securityfocus.com/bid/70751

www.ubuntu.com/usn/USN-2393-1

access.redhat.com/security/updates/classification/#moderate

bugzilla.redhat.com/show_bug.cgi?id=1139181

community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access

github.com/rapid7/metasploit-framework/pull/4088

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

kc.mcafee.com/corporate/index?page=content&id=SB10106