FTP: GNU wget FTP Remote File Creation
Wget is having an input validation error. Upon successful exploitation, arbitrary files, directories or symlinks with attacker-desired permissions are created on the target system.
Extended Description
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.
Affected Products
Gnu wget
Short Name
FTP:SYMLINKS-WGET-INPT-VALID
Severity
Major
Recommended
False
Recommended Action
Drop
Category
FTP
Keywords
CVE-2014-4877 Creation FTP File GNU Remote wget
Release Date
11/10/2014
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Gnu
CVSS Score
9.3