Absolute Path Traversal Vulnerability in GNU Wget from GNU
CVE-2014-4877

Currently unrated

Key Information:

Vendor: Gnu
Status: Wget
Vendor: CVE Published:; 29 October 2014

Summary

The vulnerability in GNU Wget, prior to version 1.16, occurs when recursion is enabled, allowing remote FTP servers to exploit an absolute path traversal flaw. By sending a crafted LIST response that references the same filename within multiple entries, one of which is a symlink, attackers can manipulate files on the local system and potentially execute arbitrary code. This risk underscores the importance of updating to secure versions and configuring Wget properly.

References

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b444...

x_refsource_CONFIRM

http://security.gentoo.org/glsa/glsa-201411-05.xml

vendor-advisoryx_refsource_GENTOO

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/do...

x_refsource_CONFIRM

EPSS Score

49% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Oct 29, 2014
Vulnerability Reserved
Jul 10, 2014