CVE-2014-4877
wget - security update
EPSS 74.3%
Description
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.
How to fix CVE-2014-4877
To remediate CVE-2014-4877, upgrade the affected package to a fixed version below.
- Debian/wget—upgrade to 1.16-1 or later
- Debian/wget—upgrade to 1.12-2.1+deb6u1 or later
- —upgrade to 1.13.4-3+deb7u2 or later
Is CVE-2014-4877 being exploited?
Likely — EPSS is 74.3%, placing CVE-2014-4877 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (3)
- from 0, < 1.16-1
- from 0, < 1.12-2.1+deb6u1
- from 0, < 1.13.4-3+deb7u2