Your submission was sent successfully! Close

CVE-2014-4877

Published: 29 October 2014

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Priority

Medium

Status

Package Release Status
wget
Launchpad, Ubuntu, Debian
Upstream
Released (1.16)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.15-1ubuntu1.14.04.1)
Patches:
Upstream: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
Upstream: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=69c45cba4382fcaabe3d86876bd5463dc34f442c