GNU Wget Arbitrary Filesystem Access Vulnerability

Last Update Date: 30 Oct 2014 10:20 Release Date: 30 Oct 2014 3916 Views

RISK: Medium Risk

TYPE: Clients - Browsers

A vulnerability was identified in wget. A remote user can cause arbitrary files, directories, and symlinks to be created on the target user's system.

A remote unauthenticated malicious FTP server, connected to the victim via wget, can create and overwrite arbitrary files in the context of the user running wget.

Impact

Data Manipulation

System / Technologies affected

wget versions 1.15 and earlier

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

Apply an update to 1.16
- The update should also be available in various package formats for downstream Linux distributions
- A source code fix is also available at:
  http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
The vendor's advisory is available at:
http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html

Vulnerability Identifier

CVE-2014-4877

GNU Wget Arbitrary Filesystem Access Vulnerability

Impact

System / Technologies affected

Solutions

Vulnerability Identifier

Source

Related Link