ID CVE-2017-6903
Summary In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.
References
Vulnerable Configurations
  • cpe:2.3:a:ioquake3:ioquake3:2017-02-27:*:*:*:*:*:*:*
    cpe:2.3:a:ioquake3:ioquake3:2017-02-27:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
refmap via4
confirm
debian DSA-3812
Last major update 24-08-2020 - 17:37
Published 14-03-2017 - 22:59
Last modified 24-08-2020 - 17:37
Back to Top