{"containers":{"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2014-10-27T00:00:00.000Z","descriptions":[{"lang":"en","value":"Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-02-16T10:57:01.000Z","orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0"},{"name":"GLSA-201411-05","tags":["vendor-advisory","x_refsource_GENTOO"],"url":"http://security.gentoo.org/glsa/glsa-201411-05.xml"},{"tags":["x_refsource_CONFIRM"],"url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"},{"name":"[bug-wget] 20141027 GNU wget 1.16 released","tags":["mailing-list","x_refsource_MLIST"],"url":"http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html"},{"name":"USN-2393-1","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"http://www.ubuntu.com/usn/USN-2393-1"},{"name":"MDVSA-2015:121","tags":["vendor-advisory","x_refsource_MANDRIVA"],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:121"},{"name":"RHSA-2014:1955","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://rhn.redhat.com/errata/RHSA-2014-1955.html"},{"name":"DSA-3062","tags":["vendor-advisory","x_refsource_DEBIAN"],"url":"http://www.debian.org/security/2014/dsa-3062"},{"tags":["x_refsource_CONFIRM"],"url":"http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7"},{"name":"VU#685996","tags":["third-party-advisory","x_refsource_CERT-VN"],"url":"http://www.kb.cert.org/vuls/id/685996"},{"name":"SUSE-SU-2014:1366","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html"},{"name":"RHSA-2014:1764","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://rhn.redhat.com/errata/RHSA-2014-1764.html"},{"name":"SUSE-SU-2014:1408","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"name":"openSUSE-SU-2014:1380","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1139181"},{"tags":["x_refsource_MISC"],"url":"https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"},{"tags":["x_refsource_CONFIRM"],"url":"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"},{"name":"70751","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/70751"},{"tags":["x_refsource_CONFIRM"],"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10106"},{"tags":["x_refsource_CONFIRM"],"url":"http://advisories.mageia.org/MGASA-2014-0431.html"},{"tags":["x_refsource_MISC"],"url":"https://github.com/rapid7/metasploit-framework/pull/4088"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cert@cert.org","ID":"CVE-2014-4877","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0","refsource":"CONFIRM","url":"http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0"},{"name":"GLSA-201411-05","refsource":"GENTOO","url":"http://security.gentoo.org/glsa/glsa-201411-05.xml"},{"name":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917","refsource":"CONFIRM","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"},{"name":"[bug-wget] 20141027 GNU wget 1.16 released","refsource":"MLIST","url":"http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html"},{"name":"USN-2393-1","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2393-1"},{"name":"MDVSA-2015:121","refsource":"MANDRIVA","url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:121"},{"name":"RHSA-2014:1955","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2014-1955.html"},{"name":"DSA-3062","refsource":"DEBIAN","url":"http://www.debian.org/security/2014/dsa-3062"},{"name":"http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7","refsource":"CONFIRM","url":"http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7"},{"name":"VU#685996","refsource":"CERT-VN","url":"http://www.kb.cert.org/vuls/id/685996"},{"name":"SUSE-SU-2014:1366","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html"},{"name":"RHSA-2014:1764","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2014-1764.html"},{"name":"SUSE-SU-2014:1408","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html"},{"name":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722","refsource":"CONFIRM","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"name":"openSUSE-SU-2014:1380","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=1139181","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1139181"},{"name":"https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access","refsource":"MISC","url":"https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"},{"name":"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"},{"name":"70751","refsource":"BID","url":"http://www.securityfocus.com/bid/70751"},{"name":"https://kc.mcafee.com/corporate/index?page=content&id=SB10106","refsource":"CONFIRM","url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10106"},{"name":"http://advisories.mageia.org/MGASA-2014-0431.html","refsource":"CONFIRM","url":"http://advisories.mageia.org/MGASA-2014-0431.html"},{"name":"https://github.com/rapid7/metasploit-framework/pull/4088","refsource":"MISC","url":"https://github.com/rapid7/metasploit-framework/pull/4088"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-06T11:27:36.989Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0"},{"name":"GLSA-201411-05","tags":["vendor-advisory","x_refsource_GENTOO","x_transferred"],"url":"http://security.gentoo.org/glsa/glsa-201411-05.xml"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"},{"name":"[bug-wget] 20141027 GNU wget 1.16 released","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html"},{"name":"USN-2393-1","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"http://www.ubuntu.com/usn/USN-2393-1"},{"name":"MDVSA-2015:121","tags":["vendor-advisory","x_refsource_MANDRIVA","x_transferred"],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:121"},{"name":"RHSA-2014:1955","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://rhn.redhat.com/errata/RHSA-2014-1955.html"},{"name":"DSA-3062","tags":["vendor-advisory","x_refsource_DEBIAN","x_transferred"],"url":"http://www.debian.org/security/2014/dsa-3062"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7"},{"name":"VU#685996","tags":["third-party-advisory","x_refsource_CERT-VN","x_transferred"],"url":"http://www.kb.cert.org/vuls/id/685996"},{"name":"SUSE-SU-2014:1366","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html"},{"name":"RHSA-2014:1764","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://rhn.redhat.com/errata/RHSA-2014-1764.html"},{"name":"SUSE-SU-2014:1408","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"name":"openSUSE-SU-2014:1380","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1139181"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"},{"name":"70751","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/70751"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10106"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://advisories.mageia.org/MGASA-2014-0431.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/rapid7/metasploit-framework/pull/4088"}]}]},"cveMetadata":{"assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","assignerShortName":"certcc","cveId":"CVE-2014-4877","datePublished":"2014-10-29T10:00:00.000Z","dateReserved":"2014-07-10T00:00:00.000Z","dateUpdated":"2024-08-06T11:27:36.989Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}