CVE-2014-4877 - Vulnerability Details

Vendors	Products
Gnu	Wget
Redhat	Enterprise Linux Rhel Eus

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6
wget-0:1.12-5.el6_6.1	cpe:/o:redhat:enterprise_linux:6	RHSA-2014:1764	2014-10-30T00:00:00Z
Red Hat Enterprise Linux 6.5 Extended Update Support
wget-0:1.12-1.12.el6_5	cpe:/o:redhat:rhel_eus:6.5	RHSA-2014:1955	2014-12-03T00:00:00Z
Red Hat Enterprise Linux 7
wget-0:1.14-10.el7_0.1	cpe:/o:redhat:enterprise_linux:7	RHSA-2014:1764	2014-10-30T00:00:00Z

Link	Providers
http://advisories.mageia.org/MGASA-2014-0431.html
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0
http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html
http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html
http://rhn.redhat.com/errata/RHSA-2014-1764.html
http://rhn.redhat.com/errata/RHSA-2014-1955.html
http://security.gentoo.org/glsa/glsa-201411-05.xml
http://www.debian.org/security/2014/dsa-3062
http://www.kb.cert.org/vuls/id/685996
http://www.mandriva.com/security/advisories?name=MDVSA-2015:121
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.securityfocus.com/bid/70751
http://www.ubuntu.com/usn/USN-2393-1
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
https://github.com/rapid7/metasploit-framework/pull/4088
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://kc.mcafee.com/corporate/index?page=content&id=SB10106
https://nvd.nist.gov/vuln/detail/CVE-2014-4877
https://www.cve.org/CVERecord?id=CVE-2014-4877

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-10-27T00:00:00", "descriptions": [{"lang": "en", "value": "Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-16T10:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0"}, {"name": "GLSA-201411-05", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-201411-05.xml"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"}, {"name": "[bug-wget] 20141027 GNU wget 1.16 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html"}, {"name": "USN-2393-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2393-1"}, {"name": "MDVSA-2015:121", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:121"}, {"name": "RHSA-2014:1955", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1955.html"}, {"name": "DSA-3062", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-3062"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7"}, {"name": "VU#685996", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/685996"}, {"name": "SUSE-SU-2014:1366", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html"}, {"name": "RHSA-2014:1764", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1764.html"}, {"name": "SUSE-SU-2014:1408", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"}, {"name": "openSUSE-SU-2014:1380", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139181"}, {"tags": ["x_refsource_MISC"], "url": "https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"}, {"name": "70751", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/70751"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10106"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2014-0431.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/rapid7/metasploit-framework/pull/4088"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2014-4877", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0", "refsource": "CONFIRM", "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0"}, {"name": "GLSA-201411-05", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-201411-05.xml"}, {"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", "refsource": "CONFIRM", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"}, {"name": "[bug-wget] 20141027 GNU wget 1.16 released", "refsource": "MLIST", "url": "http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html"}, {"name": "USN-2393-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2393-1"}, {"name": "MDVSA-2015:121", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:121"}, {"name": "RHSA-2014:1955", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1955.html"}, {"name": "DSA-3062", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-3062"}, {"name": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7", "refsource": "CONFIRM", "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7"}, {"name": "VU#685996", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/685996"}, {"name": "SUSE-SU-2014:1366", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html"}, {"name": "RHSA-2014:1764", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1764.html"}, {"name": "SUSE-SU-2014:1408", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html"}, {"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", "refsource": "CONFIRM", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"}, {"name": "openSUSE-SU-2014:1380", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1139181", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139181"}, {"name": "https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access", "refsource": "MISC", "url": "https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"}, {"name": "70751", "refsource": "BID", "url": "http://www.securityfocus.com/bid/70751"}, {"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10106", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10106"}, {"name": "http://advisories.mageia.org/MGASA-2014-0431.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2014-0431.html"}, {"name": "https://github.com/rapid7/metasploit-framework/pull/4088", "refsource": "MISC", "url": "https://github.com/rapid7/metasploit-framework/pull/4088"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:27:36.989Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0"}, {"name": "GLSA-201411-05", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-201411-05.xml"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"}, {"name": "[bug-wget] 20141027 GNU wget 1.16 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html"}, {"name": "USN-2393-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2393-1"}, {"name": "MDVSA-2015:121", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:121"}, {"name": "RHSA-2014:1955", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1955.html"}, {"name": "DSA-3062", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-3062"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7"}, {"name": "VU#685996", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/685996"}, {"name": "SUSE-SU-2014:1366", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html"}, {"name": "RHSA-2014:1764", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1764.html"}, {"name": "SUSE-SU-2014:1408", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"}, {"name": "openSUSE-SU-2014:1380", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139181"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"}, {"name": "70751", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/70751"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10106"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://advisories.mageia.org/MGASA-2014-0431.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rapid7/metasploit-framework/pull/4088"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2014-4877", "datePublished": "2014-10-29T10:00:00", "dateReserved": "2014-07-10T00:00:00", "dateUpdated": "2024-08-06T11:27:36.989Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

datePublic : 2014-10-27T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2017-02-16T10:57:01 (string)

orgId : 37e5125f-f79b-445b-8fad-9564f167944b (string)

shortName : certcc (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0 (string)

}

1 : { »

name : GLSA-201411-05 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_GENTOO (string)

]

url : http://security.gentoo.org/glsa/glsa-201411-05.xml (string)

}

2 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 (string)

}

3 : { »

name : [bug-wget] 20141027 GNU wget 1.16 released (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html (string)

}

4 : { »

name : USN-2393-1 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_UBUNTU (string)

]

url : http://www.ubuntu.com/usn/USN-2393-1 (string)

}

5 : { »

name : MDVSA-2015:121 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_MANDRIVA (string)

]

url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:121 (string)

}

6 : { »

name : RHSA-2014:1955 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

url : http://rhn.redhat.com/errata/RHSA-2014-1955.html (string)

}

7 : { »

name : DSA-3062 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_DEBIAN (string)

]

url : http://www.debian.org/security/2014/dsa-3062 (string)

}

8 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 (string)

}

9 : { »

name : VU#685996 (string)

tags : [ »

0 : third-party-advisory (string)

1 : x_refsource_CERT-VN (string)

]

url : http://www.kb.cert.org/vuls/id/685996 (string)

}

10 : { »

name : SUSE-SU-2014:1366 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

]

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html (string)

}

11 : { »

name : RHSA-2014:1764 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

url : http://rhn.redhat.com/errata/RHSA-2014-1764.html (string)

}

12 : { »

name : SUSE-SU-2014:1408 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

]

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html (string)

}

13 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 (string)

}

14 : { »

name : openSUSE-SU-2014:1380 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

]

url : http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html (string)

}

15 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=1139181 (string)

}

16 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access (string)

}

17 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html (string)

}

18 : { »

name : 70751 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

]

url : http://www.securityfocus.com/bid/70751 (string)

}

19 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://kc.mcafee.com/corporate/index?page=content&id=SB10106 (string)

}

20 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : http://advisories.mageia.org/MGASA-2014-0431.html (string)

}

21 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/rapid7/metasploit-framework/pull/4088 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cert@cert.org (string)

ID : CVE-2014-4877 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0 (string)

refsource : CONFIRM (string)

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0 (string)

}

1 : { »

name : GLSA-201411-05 (string)

refsource : GENTOO (string)

url : http://security.gentoo.org/glsa/glsa-201411-05.xml (string)

}

2 : { »

name : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 (string)

refsource : CONFIRM (string)

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 (string)

}

3 : { »

name : [bug-wget] 20141027 GNU wget 1.16 released (string)

refsource : MLIST (string)

url : http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html (string)

}

4 : { »

name : USN-2393-1 (string)

refsource : UBUNTU (string)

url : http://www.ubuntu.com/usn/USN-2393-1 (string)

}

5 : { »

name : MDVSA-2015:121 (string)

refsource : MANDRIVA (string)

url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:121 (string)

}

6 : { »

name : RHSA-2014:1955 (string)

refsource : REDHAT (string)

url : http://rhn.redhat.com/errata/RHSA-2014-1955.html (string)

}

7 : { »

name : DSA-3062 (string)

refsource : DEBIAN (string)

url : http://www.debian.org/security/2014/dsa-3062 (string)

}

8 : { »

name : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 (string)

refsource : CONFIRM (string)

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 (string)

}

9 : { »

name : VU#685996 (string)

refsource : CERT-VN (string)

url : http://www.kb.cert.org/vuls/id/685996 (string)

}

10 : { »

name : SUSE-SU-2014:1366 (string)

refsource : SUSE (string)

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html (string)

}

11 : { »

name : RHSA-2014:1764 (string)

refsource : REDHAT (string)

url : http://rhn.redhat.com/errata/RHSA-2014-1764.html (string)

}

12 : { »

name : SUSE-SU-2014:1408 (string)

refsource : SUSE (string)

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html (string)

}

13 : { »

name : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 (string)

refsource : CONFIRM (string)

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 (string)

}

14 : { »

name : openSUSE-SU-2014:1380 (string)

refsource : SUSE (string)

url : http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html (string)

}

15 : { »

name : https://bugzilla.redhat.com/show_bug.cgi?id=1139181 (string)

refsource : CONFIRM (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=1139181 (string)

}

16 : { »

name : https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access (string)

refsource : MISC (string)

url : https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access (string)

}

17 : { »

name : http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html (string)

refsource : CONFIRM (string)

url : http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html (string)

}

18 : { »

name : 70751 (string)

refsource : BID (string)

url : http://www.securityfocus.com/bid/70751 (string)

}

19 : { »

name : https://kc.mcafee.com/corporate/index?page=content&id=SB10106 (string)

refsource : CONFIRM (string)

url : https://kc.mcafee.com/corporate/index?page=content&id=SB10106 (string)

}

20 : { »

name : http://advisories.mageia.org/MGASA-2014-0431.html (string)

refsource : CONFIRM (string)

url : http://advisories.mageia.org/MGASA-2014-0431.html (string)

}

21 : { »

name : https://github.com/rapid7/metasploit-framework/pull/4088 (string)

refsource : MISC (string)

url : https://github.com/rapid7/metasploit-framework/pull/4088 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-06T11:27:36.989Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0 (string)

}

1 : { »

name : GLSA-201411-05 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_GENTOO (string)

2 : x_transferred (string)

]

url : http://security.gentoo.org/glsa/glsa-201411-05.xml (string)

}

2 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 (string)

}

3 : { »

name : [bug-wget] 20141027 GNU wget 1.16 released (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html (string)

}

4 : { »

name : USN-2393-1 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_UBUNTU (string)

2 : x_transferred (string)

]

url : http://www.ubuntu.com/usn/USN-2393-1 (string)

}

5 : { »

name : MDVSA-2015:121 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_MANDRIVA (string)

2 : x_transferred (string)

]

url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:121 (string)

}

6 : { »

name : RHSA-2014:1955 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

url : http://rhn.redhat.com/errata/RHSA-2014-1955.html (string)

}

7 : { »

name : DSA-3062 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_DEBIAN (string)

2 : x_transferred (string)

]

url : http://www.debian.org/security/2014/dsa-3062 (string)

}

8 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 (string)

}

9 : { »

name : VU#685996 (string)

tags : [ »

0 : third-party-advisory (string)

1 : x_refsource_CERT-VN (string)

2 : x_transferred (string)

]

url : http://www.kb.cert.org/vuls/id/685996 (string)

}

10 : { »

name : SUSE-SU-2014:1366 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

2 : x_transferred (string)

]

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html (string)

}

11 : { »

name : RHSA-2014:1764 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

url : http://rhn.redhat.com/errata/RHSA-2014-1764.html (string)

}

12 : { »

name : SUSE-SU-2014:1408 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

2 : x_transferred (string)

]

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html (string)

}

13 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 (string)

}

14 : { »

name : openSUSE-SU-2014:1380 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

2 : x_transferred (string)

]

url : http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html (string)

}

15 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=1139181 (string)

}

16 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access (string)

}

17 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html (string)

}

18 : { »

name : 70751 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

2 : x_transferred (string)

]

url : http://www.securityfocus.com/bid/70751 (string)

}

19 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://kc.mcafee.com/corporate/index?page=content&id=SB10106 (string)

}

20 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : http://advisories.mageia.org/MGASA-2014-0431.html (string)

}

21 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/rapid7/metasploit-framework/pull/4088 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 37e5125f-f79b-445b-8fad-9564f167944b (string)

assignerShortName : certcc (string)

cveId : CVE-2014-4877 (string)

datePublished : 2014-10-29T10:00:00 (string)

dateReserved : 2014-07-10T00:00:00 (string)

dateUpdated : 2024-08-06T11:27:36.989Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:wget:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC092879-65CD-4F25-80DA-70514D6B2A6E", "versionEndIncluding": "1.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:wget:1.12:*:*:*:*:*:*:*", "matchCriteriaId": "B5E5E724-5DC7-4264-BF3D-27CFB093AC03", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:wget:1.13:*:*:*:*:*:*:*", "matchCriteriaId": "17D42285-E640-4EF9-8E1A-072C77F6A9C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:wget:1.13.1:*:*:*:*:*:*:*", "matchCriteriaId": "EB7F0263-11A7-4E85-8A5D-FB41F6CDF784", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:wget:1.13.2:*:*:*:*:*:*:*", "matchCriteriaId": "244D4F9A-4697-4DF2-9590-36203F19DA63", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:wget:1.13.3:*:*:*:*:*:*:*", "matchCriteriaId": "1BE195AF-F305-4B47-8047-C20B1CB6BF31", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:wget:1.13.4:*:*:*:*:*:*:*", "matchCriteriaId": "FC6F6840-CAA0-422D-89CF-920D8314A27B", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:wget:1.14:*:*:*:*:*:*:*", "matchCriteriaId": "D225A5FC-7BA8-4DD8-9A9F-6AAA3D15A8A2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink."}, {"lang": "es", "value": "Vulnerabilidad de salto de ruta absoluta en GNU Wget anterior a 1.16, cuando la recursi\u00f3n esta habilitada, permite a servidores FTP remotos escribir a ficheros arbitrarios, y como consecuencia ejecutar c\u00f3digo arbitrario, a trav\u00e9s de una respuesta LIST que hace referencia al mismo nombre de fichero dentro de dos entradas, una de las cuales indica que el nombre de fichero es para un enlace simb\u00f3lico."}], "id": "CVE-2014-4877", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-29T10:55:05.417", "references": [{"source": "cret@cert.org", "url": "http://advisories.mageia.org/MGASA-2014-0431.html"}, {"source": "cret@cert.org", "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7"}, {"source": "cret@cert.org", "tags": ["Patch"], "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0"}, {"source": "cret@cert.org", "tags": ["Patch"], "url": "http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html"}, {"source": "cret@cert.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html"}, {"source": "cret@cert.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html"}, {"source": "cret@cert.org", "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html"}, {"source": "cret@cert.org", "url": "http://rhn.redhat.com/errata/RHSA-2014-1764.html"}, {"source": "cret@cert.org", "url": "http://rhn.redhat.com/errata/RHSA-2014-1955.html"}, {"source": "cret@cert.org", "url": "http://security.gentoo.org/glsa/glsa-201411-05.xml"}, {"source": "cret@cert.org", "url": "http://www.debian.org/security/2014/dsa-3062"}, {"source": "cret@cert.org", "tags": ["Patch", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/685996"}, {"source": "cret@cert.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:121"}, {"source": "cret@cert.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"}, {"source": "cret@cert.org", "url": "http://www.securityfocus.com/bid/70751"}, {"source": "cret@cert.org", "url": "http://www.ubuntu.com/usn/USN-2393-1"}, {"source": "cret@cert.org", "tags": ["Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139181"}, {"source": "cret@cert.org", "tags": ["Exploit"], "url": "https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"}, {"source": "cret@cert.org", "tags": ["Exploit"], "url": "https://github.com/rapid7/metasploit-framework/pull/4088"}, {"source": "cret@cert.org", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"}, {"source": "cret@cert.org", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"}, {"source": "cret@cert.org", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10106"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://advisories.mageia.org/MGASA-2014-0431.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-1764.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-1955.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://security.gentoo.org/glsa/glsa-201411-05.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-3062"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/685996"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:121"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/70751"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2393-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139181"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/rapid7/metasploit-framework/pull/4088"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10106"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:gnu:wget:*:*:*:*:*:*:*:* (string)

matchCriteriaId : AC092879-65CD-4F25-80DA-70514D6B2A6E (string)

versionEndIncluding : 1.15 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:gnu:wget:1.12:*:*:*:*:*:*:* (string)

matchCriteriaId : B5E5E724-5DC7-4264-BF3D-27CFB093AC03 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:gnu:wget:1.13:*:*:*:*:*:*:* (string)

matchCriteriaId : 17D42285-E640-4EF9-8E1A-072C77F6A9C6 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:gnu:wget:1.13.1:*:*:*:*:*:*:* (string)

matchCriteriaId : EB7F0263-11A7-4E85-8A5D-FB41F6CDF784 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:gnu:wget:1.13.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 244D4F9A-4697-4DF2-9590-36203F19DA63 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:gnu:wget:1.13.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 1BE195AF-F305-4B47-8047-C20B1CB6BF31 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:gnu:wget:1.13.4:*:*:*:*:*:*:* (string)

matchCriteriaId : FC6F6840-CAA0-422D-89CF-920D8314A27B (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:gnu:wget:1.14:*:*:*:*:*:*:* (string)

matchCriteriaId : D225A5FC-7BA8-4DD8-9A9F-6AAA3D15A8A2 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. (string)

}

1 : { »

lang : es (string)

value : Vulnerabilidad de salto de ruta absoluta en GNU Wget anterior a 1.16, cuando la recursión esta habilitada, permite a servidores FTP remotos escribir a ficheros arbitrarios, y como consecuencia ejecutar código arbitrario, a través de una respuesta LIST que hace referencia al mismo nombre de fichero dentro de dos entradas, una de las cuales indica que el nombre de fichero es para un enlace simbólico. (string)

}

]

id : CVE-2014-4877 (string)

lastModified : 2025-04-12T10:46:40.837 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : HIGH (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : COMPLETE (string)

baseScore : 9.3 (number)

confidentialityImpact : COMPLETE (string)

integrityImpact : COMPLETE (string)

vectorString : AV:N/AC:M/Au:N/C:C/I:C/A:C (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 10 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

}

published : 2014-10-29T10:55:05.417 (string)

references : [ »

0 : { »

source : cret@cert.org (string)

url : http://advisories.mageia.org/MGASA-2014-0431.html (string)

}

1 : { »

source : cret@cert.org (string)

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 (string)

}

2 : { »

source : cret@cert.org (string)

tags : [ »

0 : Patch (string)

]

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0 (string)

}

3 : { »

source : cret@cert.org (string)

tags : [ »

0 : Patch (string)

]

url : http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html (string)

}

4 : { »

source : cret@cert.org (string)

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html (string)

}

5 : { »

source : cret@cert.org (string)

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html (string)

}

6 : { »

source : cret@cert.org (string)

url : http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html (string)

}

7 : { »

source : cret@cert.org (string)

url : http://rhn.redhat.com/errata/RHSA-2014-1764.html (string)

}

8 : { »

source : cret@cert.org (string)

url : http://rhn.redhat.com/errata/RHSA-2014-1955.html (string)

}

9 : { »

source : cret@cert.org (string)

url : http://security.gentoo.org/glsa/glsa-201411-05.xml (string)

}

10 : { »

source : cret@cert.org (string)

url : http://www.debian.org/security/2014/dsa-3062 (string)

}

11 : { »

source : cret@cert.org (string)

tags : [ »

0 : Patch (string)

1 : US Government Resource (string)

]

url : http://www.kb.cert.org/vuls/id/685996 (string)

}

12 : { »

source : cret@cert.org (string)

url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:121 (string)

}

13 : { »

source : cret@cert.org (string)

url : http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html (string)

}

14 : { »

source : cret@cert.org (string)

url : http://www.securityfocus.com/bid/70751 (string)

}

15 : { »

source : cret@cert.org (string)

url : http://www.ubuntu.com/usn/USN-2393-1 (string)

}

16 : { »

source : cret@cert.org (string)

tags : [ »

0 : Patch (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=1139181 (string)

}

17 : { »

source : cret@cert.org (string)

tags : [ »

0 : Exploit (string)

]

url : https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access (string)

}

18 : { »

source : cret@cert.org (string)

tags : [ »

0 : Exploit (string)

]

url : https://github.com/rapid7/metasploit-framework/pull/4088 (string)

}

19 : { »

source : cret@cert.org (string)

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 (string)

}

20 : { »

source : cret@cert.org (string)

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 (string)

}

21 : { »

source : cret@cert.org (string)

url : https://kc.mcafee.com/corporate/index?page=content&id=SB10106 (string)

}

22 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://advisories.mageia.org/MGASA-2014-0431.html (string)

}

23 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 (string)

}

24 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0 (string)

}

25 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html (string)

}

26 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html (string)

}

27 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html (string)

}

28 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html (string)

}

29 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://rhn.redhat.com/errata/RHSA-2014-1764.html (string)

}

30 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://rhn.redhat.com/errata/RHSA-2014-1955.html (string)

}

31 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://security.gentoo.org/glsa/glsa-201411-05.xml (string)

}

32 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.debian.org/security/2014/dsa-3062 (string)

}

33 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : US Government Resource (string)

]

url : http://www.kb.cert.org/vuls/id/685996 (string)

}

34 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:121 (string)

}

35 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html (string)

}

36 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.securityfocus.com/bid/70751 (string)

}

37 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.ubuntu.com/usn/USN-2393-1 (string)

}

38 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=1139181 (string)

}

39 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

]

url : https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access (string)

}

40 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

]

url : https://github.com/rapid7/metasploit-framework/pull/4088 (string)

}

41 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 (string)

}

42 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 (string)

}

43 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://kc.mcafee.com/corporate/index?page=content&id=SB10106 (string)

}

]

sourceIdentifier : cret@cert.org (string)

vulnStatus : Deferred (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-22 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"acknowledgement": "Red Hat would like to thank GNU Wget project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2014:1764", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "wget-0:1.12-5.el6_6.1", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2014-10-30T00:00:00Z"}, {"advisory": "RHSA-2014:1955", "cpe": "cpe:/o:redhat:rhel_eus:6.5", "package": "wget-0:1.12-1.12.el6_5", "product_name": "Red Hat Enterprise Linux 6.5 Extended Update Support", "release_date": "2014-12-03T00:00:00Z"}, {"advisory": "RHSA-2014:1764", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "wget-0:1.14-10.el7_0.1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2014-10-30T00:00:00Z"}], "bugzilla": {"description": "wget: FTP symlink arbitrary filesystem access", "id": "1139181", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139181"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "cwe": "CWE-59", "details": ["Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.", "A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution."], "name": "CVE-2014-4877", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "wget", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2014-10-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-4877\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-4877"], "statement": "Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.", "threat_severity": "Moderate"}

{

acknowledgement : Red Hat would like to thank GNU Wget project for reporting this issue. (string)

affected_release : [ »

0 : { »

advisory : RHSA-2014:1764 (string)

cpe : cpe:/o:redhat:enterprise_linux:6 (string)

package : wget-0:1.12-5.el6_6.1 (string)

product_name : Red Hat Enterprise Linux 6 (string)

release_date : 2014-10-30T00:00:00Z (string)

}

1 : { »

advisory : RHSA-2014:1955 (string)

cpe : cpe:/o:redhat:rhel_eus:6.5 (string)

package : wget-0:1.12-1.12.el6_5 (string)

product_name : Red Hat Enterprise Linux 6.5 Extended Update Support (string)

release_date : 2014-12-03T00:00:00Z (string)

}

2 : { »

advisory : RHSA-2014:1764 (string)

cpe : cpe:/o:redhat:enterprise_linux:7 (string)

package : wget-0:1.14-10.el7_0.1 (string)

product_name : Red Hat Enterprise Linux 7 (string)

release_date : 2014-10-30T00:00:00Z (string)

}

]

bugzilla : { »

description : wget: FTP symlink arbitrary filesystem access (string)

id : 1139181 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=1139181 (string)

}

csaw : false (boolean)

cvss : { »

cvss_base_score : 4.3 (string)

cvss_scoring_vector : AV:N/AC:M/Au:N/C:N/I:P/A:N (string)

status : verified (string)

}

cwe : CWE-59 (string)

details : [ »

0 : Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. (string)

1 : A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution. (string)

]

name : CVE-2014-4877 (string)

package_state : [ »

0 : { »

cpe : cpe:/o:redhat:enterprise_linux:5 (string)

fix_state : Will not fix (string)

package_name : wget (string)

product_name : Red Hat Enterprise Linux 5 (string)

}

]

public_date : 2014-10-27T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2014-4877 https://nvd.nist.gov/vuln/detail/CVE-2014-4877 (string)

]

statement : Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. (string)

threat_severity : Moderate (string)

}

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object