ID CVE-2016-4971
Summary GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
References
Vulnerable Configurations
  • cpe:2.3:a:gnu_wget_project:gnu_wget:1.17.1
    cpe:2.3:a:gnu_wget_project:gnu_wget:1.17.1
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
CVSS
Base: 4.3 (as of 01-07-2016 - 11:13)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
exploit-db via4
description GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution. CVE-2016-4971. Remote exploit for linux platform
file exploits/linux/remote/40064.txt
id EDB-ID:40064
last seen 2016-07-08
modified 2016-07-06
platform linux
port
published 2016-07-06
reporter Dawid Golunski
source https://www.exploit-db.com/download/40064/
title GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution
type remote
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2226-1.NASL
    description This update for wget fixes the following issues : - Fix for HTTP to a FTP redirection file name confusion vulnerability (bsc#984060, CVE-2016-4971). - Work around a libidn vulnerability (bsc#937096, CVE-2015-2059). - Fix for wget fails with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93369
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93369
    title SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2016:2226-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1067.NASL
    description This update for wget fixes the following issues : - Fix for HTTP to a FTP redirection file name confusion vulnerability (bsc#984060, CVE-2016-4971). - Work around a libidn vulnerability (bsc#937096, CVE-2015-2059). - Fix for wget fails with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 93430
    published 2016-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93430
    title openSUSE Security Update : wget (openSUSE-2016-1067)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2587.NASL
    description From Red Hat Security Advisory 2016:2587 : An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971) Red Hat would like to thank GNU wget project for reporting this issue. Upstream acknowledges Dawid Golunski as the original reporter. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 94708
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94708
    title Oracle Linux 7 : wget (ELSA-2016-2587)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2358-1.NASL
    description This update for wget fixes the following issues : - CVE-2016-4971: A HTTP to FTP redirection file name confusion vulnerability was fixed. (bsc#984060). - CVE-2016-7098: A potential race condition was fixed by creating files with .tmp ext and making them accessible to the current user only. (bsc#995964) Bug fixed : - Wget failed with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93714
    published 2016-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93714
    title SUSE SLES11 Security Update : wget (SUSE-SU-2016:2358-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-2DB8CBC2FD.NASL
    description Updated to 1.18 due to CVE-2016-4971 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92074
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92074
    title Fedora 23 : wget (2016-2db8cbc2fd)
  • NASL family Palo Alto Local Security Checks
    NASL id PALO_ALTO_PAN-OS_7_0_15.NASL
    description The version of Palo Alto Networks PAN-OS running on the remote host is 6.1.x prior to 6.1.17, 7.0.x prior to 7.0.15, 7.1.x prior to 7.1.10, or 8.0.x prior to 8.0.2. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the GNU wget component when handling server redirects to FTP resources due to the destination file name being obtained from the redirected URL and not the original URL. An unauthenticated, remote attacker can exploit this, via a specially crafted response, to cause a different file name to be used than intended, resulting in writing to arbitrary files. (CVE-2016-4971) - A flaw exists in the Linux kernel due to improper determination of the rate of challenge ACK segments. An unauthenticated, remote attacker can exploit this to gain access to the shared counter, which makes it easier to hijack TCP sessions using a blind in-window attack. This issue only affects version 7.1.x. (CVE-2016-5696) - An out-of-bounds read error exists when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. This issue does not affect version 6.1.x. (CVE-2017-3731) - A cross-site scripting (XSS) vulnerability exists in GlobalProtect due to improper validation of user-supplied input to unspecified request parameters before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. This issue only affects version 7.0.x. (CVE-2017-7409) - A flaw exists in the web-based management interface due to improper permission checks that allows an authenticated, remote attacker to disclose sensitive information. This issue only affects versions 6.1.x, 7.0.x, and 8.0.x. (CVE-2017-7644) - An information disclosure vulnerability exists in the GlobalProtect external interface due to returning different error messages when handling login attempts with valid or invalid usernames. An unauthenticated, remote attacker can exploit this to enumerate valid user accounts. This issue only affects versions 6.1.x, 7.0.x, and 8.0.x. (CVE-2017-7945) - A denial of service vulnerability exists in the firewall when handling stale responses to authentication requests prior to selecting CHAP or PAP as the protocol. An unauthenticated, remote attacker can exploit this to cause the authentication process (authd) to stop responding. This issue only affects versions 7.0.x and 7.1.x. - An information disclosure vulnerability exists when viewing changes in the configuration log due to the 'Auth Password' and 'Priv Password' for the SNMPv3 server profile not being properly masked. A local attacker can exploit this to disclose password information. This issue only affects versions 7.1.x and 8.0.x. - A denial of service vulnerability exists due to a flaw when handling HA3 messages. An unauthenticated, remote attacker can exploit this to cause several processes to stop. This issue only affects version 7.1.x.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 100419
    published 2017-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100419
    title Palo Alto Networks PAN-OS 6.1.x < 6.1.17 / 7.0.x < 7.0.15 / 7.1.x < 7.1.10 / 8.0.x < 8.0.2 Multiple Vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2587.NASL
    description An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971) Red Hat would like to thank GNU wget project for reporting this issue. Upstream acknowledges Dawid Golunski as the original reporter. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95333
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95333
    title CentOS 7 : wget (CESA-2016:2587)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_WGET_ON_SL7_X.NASL
    description Security Fix(es) : - It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 95865
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95865
    title Scientific Linux Security Update : wget on SL7.x x86_64
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1064.NASL
    description According to the version of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.(CVE-2016-4971) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99826
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99826
    title EulerOS 2.0 SP1 : wget (EulerOS-SA-2016-1064)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201610-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-201610-11 (GNU Wget: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wget. Please review the CVE identifier and bug reports referenced for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-10-31
    plugin id 94422
    published 2016-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94422
    title GLSA-201610-11 : GNU Wget: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-165-01.NASL
    description New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
    last seen 2019-02-21
    modified 2016-10-19
    plugin id 91573
    published 2016-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91573
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : wget (SSA:2016-165-01)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-536.NASL
    description On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename. This behaviour was changed and now it works similarly as a redirect from HTTP to another HTTP resource so the original name is used as the destination file. To keep the previous behaviour the user must provide --trust-server-names. For Debian 7 'Wheezy', these problems have been fixed in version 1.13.4-3+deb7u3. We recommend that you upgrade your wget packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 91903
    published 2016-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91903
    title Debian DLA-536-1 : wget security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-24135DFE43.NASL
    description Updated to 1.18 due to CVE-2016-4971 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92068
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92068
    title Fedora 22 : wget (2016-24135dfe43)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_6DF56C60373811E6A67160A44CE6887B.NASL
    description Giuseppe Scrivano reports : On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91734
    published 2016-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91734
    title FreeBSD : wget -- HTTP to FTP redirection file name confusion vulnerability (6df56c60-3738-11e6-a671-60a44ce6887b)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2587.NASL
    description An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971) Red Hat would like to thank GNU wget project for reporting this issue. Upstream acknowledges Dawid Golunski as the original reporter. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94550
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94550
    title RHEL 7 : wget (RHSA-2016:2587)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-720.NASL
    description GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. (CVE-2016-4971)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 92222
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92222
    title Amazon Linux AMI : wget (ALAS-2016-720)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-E14374472F.NASL
    description Updated to 1.18 due to CVE-2016-4971 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92186
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92186
    title Fedora 24 : wget (2016-e14374472f)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3012-1.NASL
    description Dawid Golunski discovered that Wget incorrectly handled filenames when being redirected from an HTTP to an FTP URL. A malicious server could possibly use this issue to overwrite local files. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91728
    published 2016-06-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91728
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : wget vulnerability (USN-3012-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-973.NASL
    description This update for wget fixes the following issue : - CVE-2016-4971: HTTP to a FTP redirection file name confusion vulnerability (boo#984060).
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 92931
    published 2016-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92931
    title openSUSE Security Update : wget (openSUSE-2016-973)
packetstorm via4
data source https://packetstormsecurity.com/files/download/137795/wget-fileuploadexec.txt
id PACKETSTORM:137795
last seen 2016-12-05
published 2016-07-06
reporter Dawid Golunski
source https://packetstormsecurity.com/files/137795/GNU-Wget-Arbitrary-File-Upload-Potential-Remote-Code-Execution.html
title GNU Wget Arbitrary File Upload / Potential Remote Code Execution
redhat via4
advisories
bugzilla
id 1343666
title CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload via FTP redirect
oval
AND
  • comment wget is earlier than 0:1.14-13.el7
    oval oval:com.redhat.rhsa:tst:20162587005
  • comment wget is signed with Red Hat redhatrelease2 key
    oval oval:com.redhat.rhsa:tst:20140151006
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
rhsa
id RHSA-2016:2587
released 2016-11-03
severity Moderate
title RHSA-2016:2587: wget security and bug fix update (Moderate)
rpms wget-0:1.14-13.el7
refmap via4
bid 91530
confirm
exploit-db 40064
gentoo GLSA-201610-11
mlist [info-gnu] 20160609 GNU wget 1.18 released
sectrack 1036133
suse openSUSE-SU-2016:2027
ubuntu USN-3012-1
Last major update 28-11-2016 - 15:22
Published 30-06-2016 - 13:59
Last modified 04-01-2018 - 21:30
Back to Top