CVE-2017-8921

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In FlightGear before 2017.2.1, the FGCommand interface allows overwriting any file the user has write access to, but not with arbitrary data: only with the contents of a FlightGear flightplan (XML). A resource such as a malicious third-party aircraft could exploit this to damage files belonging to the user. Both this issue and CVE-2016-9956 are directory traversal vulnerabilities in Autopilot/route_mgr.cxx - this one exists because of an incomplete fix for CVE-2016-9956.

En FlightGear anterior a versión 2017.2.1, la interfaz FGCommand permite sobrescribir cualquier archivo al que el usuario tenga acceso de escritura, pero no con datos arbitrarios: solo con el contenido de un flightplan (XML) de FlightGear. Un recurso como un aeronave maliciosa de terceros podría explotar esto para dañar los archivos que pertenecen al usuario. Tanto este problema y el CVE-2016-9956 son vulnerabilidades de salto de directorio en el archivo Autopilot/route_mgr.cxx; este se presenta debido a una solución incompleta para el CVE-2016-9956.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-05-12 CVE Reserved
2017-05-12 CVE Published
2024-09-16 CVE Updated
2024-09-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://sourceforge.net/p/flightgear/flightgear/ci/faf872e7f71ca14c567ac7080561fc785d8d2fd0	2017-05-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Flightgear Search vendor "Flightgear"		Flightgear Search vendor "Flightgear" for product "Flightgear"				<= 2017.2 Search vendor "Flightgear" for product "Flightgear" and version " <= 2017.2"		-		Affected