Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - wget: FTP symlink arbitrary filesystem access (CVE-2014-4877)

  - wget: Lack of filename checking allows arbitrary file upload via FTP redirect (CVE-2016-4971)

  - GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the     destination filename of a download, which allows remote servers to create or overwrite arbitrary files via     a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted     filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home     directory. (CVE-2010-2252)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

According to the versions of the wget package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A stack-based buffer overflow when processing chunked,     encoded HTTP responses was found in wget. By tricking     an unsuspecting user into connecting to a malicious     HTTP server, an attacker could exploit this flaw to     potentially execute arbitrary code.(CVE-2017-13089)

  - A flaw was found in the way Wget handled symbolic     links. A malicious FTP server could allow Wget running     in the mirror mode (using the '-m' command line option)     to write an arbitrary file to a location writable to by     the user running Wget, possibly leading to code     execution.(CVE-2014-4877)

  - A cookie injection flaw was found in wget. An attacker     can create a malicious website which, when accessed,     overrides cookies belonging to arbitrary     domains.(CVE-2018-0494)

  - It was found that wget used a file name provided by the     server for the downloaded file when following a HTTP     redirect to a FTP server resource. This could cause     wget to create a file with a different name than     expected, possibly allowing the server to execute     arbitrary code on the client.(CVE-2016-4971)

  - A heap-based buffer overflow, when processing chunked     encoded HTTP responses, was found in wget. By tricking     an unsuspecting user into connecting to a malicious     HTTP server, an attacker could exploit this flaw to     potentially execute arbitrary code.(CVE-2017-13090)

  - Race condition in wget 1.17 and earlier, when used in     recursive or mirroring mode to download a single file,     might allow remote servers to bypass intended access     list restrictions by keeping an HTTP connection     open.(CVE-2016-7098)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

wget was updated to fix one security issue and two non-security issues :

  - FTP symbolic link arbitrary filesystem access     (CVE-2014-4877).

  - Fix displaying of download time (bnc#901276).

  - Fix 0 size FTP downloads after failure (bnc#885069).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

wget was updated to fix one security issue.

This security issue was fixed :

  - FTP symlink arbitrary filesystem access (CVE-2014-4877).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

wget was updated to fix one security issue :

  - FTP symbolic link arbitrary filesystem access     (CVE-2014-4877).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated wget package fixes security vulnerability :

Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP (CVE-2014-4877).

The default settings in wget have been changed such that wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the wget command.

HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability allows to create arbitrary files on the user's system when Wget runs in recursive mode against a malicious FTP server. Arbitrary file creation may override content of user's files or permit remote code execution with the user privilege.

This update changes the default setting in Wget such that it no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

add fix for arches with unsigned char security update Fix the progress bar issue (#1159643)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated wget package that fixes one security issue is now available for Red Hat Enterprise Linux 6.5 Extended Update Support.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The wget package provides the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.

A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.
(CVE-2014-4877)

Note: This update changes the default value of the --retr-symlinks option. The file symbolic links are now traversed by default and pointed-to files are retrieved rather than creating a symbolic link locally.

Red Hat would like to thank the GNU Wget project for reporting this issue. Upstream acknowledges HD Moore of Rapid7, Inc as the original reporter.

All users of wget are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix CVE-2014-4877 wget: FTP symlink arbitrary filesystem     access (#1156133)

  - Fix the parsing of weblink when doing recursive     retrieving (#960137)

  - Fix errors found by static analysis of source code     (#873216)

  - Add SNI (Server Name Indication) support (#909604)

  - Add --trust-server-names option to fix CVE-2010-2252     (#1062190)

  - Fix wget to recognize certificates with alternative     names (#736445)

- add fix for arches with unsigned char

    - security update

    - Fix the progress bar issue (#1159643)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201411-05 (GNU Wget: Arbitrary code execution)

    An absolute path traversal vulnerability has been found in GNU Wget.
  Impact :

    A remote FTP server is able to write to arbitrary files, and       consequently execute arbitrary code.
  Workaround :

    There is no known workaround at this time.

wget was updated to version 1.16 to fix one security issue.

The following security issue was fixed :

  - Fix for symlink attack which could allow a malicious ftp     server to create arbitrary files, directories or     symbolic links and set their permissions when retrieving     a directory recursively through FTP (CVE-2014-4877).

MITRE reports :

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

wget has been updated to fix one security issue and two non-security issues.

This security issue has been fixed :

  - FTP symlink arbitrary filesystem access (CVE-2014-4877).
    These non-security issues have been fixed :

  - Fix displaying of download time. (bnc#901276)

  - Fix 0 size FTP downloads after failure. (bnc#885069)

A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.
(CVE-2014-4877)

Note: This update changes the default value of the --retr-symlinks option. The file symbolic links are now traversed by default and pointed-to files are retrieved rather than creating a symbolic link locally.

HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability allows to create arbitrary files on the user's system when Wget runs in recursive mode against a malicious FTP server. Arbitrary file creation may override content of user's files or permit remote code execution with the user privilege. 

This update changes the default setting in Wget such that it no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2393-1 advisory.

    HD Moore discovered that Wget contained a path traversal vulnerability when downloading symlinks using     FTP. A malicious remote FTP server or a man in the middle could use this issue to cause Wget to overwrite     arbitrary files, possibly leading to arbitrary code execution.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2014:1764 advisory.

  - wget: FTP symlink arbitrary filesystem access (CVE-2014-4877)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2014-1764 advisory.

    [1.14-10.1]
    - Fix CVE-2014-4877 wget: FTP symlink arbitrary filesystem access (#1156135)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An updated wget package that fixes one security issue is now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The wget package provides the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.

A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.
(CVE-2014-4877)

Note: This update changes the default value of the --retr-symlinks option. The file symbolic links are now traversed by default and pointed-to files are retrieved rather than creating a symbolic link locally.

Red Hat would like to thank the GNU Wget project for reporting this issue. Upstream acknowledges HD Moore of Rapid7, Inc as the original reporter.

All users of wget are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

ID	Name	Product	Family	Severity
198391	RHEL 5 : wget (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
124920	EulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417)	Nessus	Huawei Local Security Checks	high
83845	SUSE SLES11 Security Update : wget (SUSE-SU-2014:1366-2)	Nessus	SuSE Local Security Checks	high
83645	SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2014:1464-1)	Nessus	SuSE Local Security Checks	high
83642	SUSE SLES10 Security Update : wget (SUSE-SU-2014:1408-1)	Nessus	SuSE Local Security Checks	high
82374	Mandriva Linux Security Advisory : wget (MDVSA-2015:121)	Nessus	Mandriva Local Security Checks	high
82227	Debian DLA-82-1 : wget security update	Nessus	Debian Local Security Checks	high
79771	Fedora 21 : wget-1.16-3.fc21 (2014-15347)	Nessus	Fedora Local Security Checks	high
79710	RHEL 6 : wget (RHSA-2014:1955)	Nessus	Red Hat Local Security Checks	high
79648	Fedora 19 : wget-1.16-3.fc19 (2014-15405)	Nessus	Fedora Local Security Checks	high
79551	OracleVM 3.3 : wget (OVMSA-2014-0036)	Nessus	OracleVM Local Security Checks	high
79398	Fedora 20 : wget-1.16-3.fc20 (2014-15385)	Nessus	Fedora Local Security Checks	high
79266	GLSA-201411-05 : GNU Wget: Arbitrary code execution	Nessus	Gentoo Local Security Checks	high
79103	openSUSE Security Update : wget (openSUSE-SU-2014:1380-1)	Nessus	SuSE Local Security Checks	high
79079	FreeBSD : wget -- path traversal vulnerability in recursive FTP mode (ee7b4f9d-66c8-11e4-9ae1-e8e0b722a85e)	Nessus	FreeBSD Local Security Checks	high
78887	SuSE 11.3 Security Update : wget (SAT Patch Number 9933)	Nessus	SuSE Local Security Checks	high
78875	Amazon Linux AMI : wget (ALAS-2014-442)	Nessus	Amazon Linux Local Security Checks	high
78854	Scientific Linux Security Update : wget on SL6.x, SL7.x i386/x86_64 (20141030)	Nessus	Scientific Linux Local Security Checks	high
78833	Debian DSA-3062-1 : wget - security update	Nessus	Debian Local Security Checks	high
78763	Ubuntu 14.04 LTS : Wget vulnerability (USN-2393-1)	Nessus	Ubuntu Local Security Checks	critical
78758	RHEL 6 / 7 : wget (RHSA-2014:1764)	Nessus	Red Hat Local Security Checks	critical
78753	Oracle Linux 6 / 7 : wget (ELSA-2014-1764)	Nessus	Oracle Linux Local Security Checks	critical
78751	CentOS 6 / 7 : wget (CESA-2014:1764)	Nessus	CentOS Local Security Checks	high
78732	Mandriva Linux Security Advisory : wget (MDVSA-2014:212)	Nessus	Mandriva Local Security Checks	high
78724	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : wget (SSA:2014-302-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2014-4877

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

critical

critical

critical

high

high

high