CVE-2014-8517

The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.

Published: Nov 17, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-8517
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
apple / mac_os_x	10.10.0	10.10.0.x
apple / mac_os_x	10.10.1	10.10.1.x
apple / mac_os_x	10.9.5	10.9.5.x
apple / mac_os_x	10.8.5	10.8.5.x
netbsd / netbsd	6.1.1	6.1.1.x
netbsd / netbsd	5.2.2	5.2.2.x
netbsd / netbsd	5.1	5.1.x
netbsd / netbsd	6.1.3	6.1.3.x
netbsd / netbsd	6.0	6.0.x
netbsd / netbsd	6.1.4	6.1.4.x
netbsd / netbsd	6.0.4	6.0.4.x
netbsd / netbsd	5.1.4	5.1.4.x
netbsd / netbsd	6.0.6	6.0.6.x
netbsd / netbsd	6.0.2	6.0.2.x
netbsd / netbsd	5.1.2	5.1.2.x
netbsd / netbsd	5.2.1	5.2.1.x
netbsd / netbsd	5.1.3	5.1.3.x
netbsd / netbsd	6.0.5	6.0.5.x
netbsd / netbsd	6.1.2	6.1.2.x
netbsd / netbsd	6.0.1	6.0.1.x
netbsd / netbsd	5.1.1	5.1.1.x
netbsd / netbsd	6.1.5	6.1.5.x
netbsd / netbsd	5.2	5.2.x
netbsd / netbsd	6.0.3	6.0.3.x
netbsd / netbsd	6.1	6.1.x

Vulnerability Database

CVE-2014-8517