CVE-2021-21292

Unquoted Windows binary path in Traccar

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). This is fixed in version 4.12.

Traccar es un sistema de rastreo GPS de código abierto. En Traccar anterior a versión 4.12, se presenta una vulnerabilidad de ruta binaria de Windows sin comillas. Solo las versiones de Windows están afectadas. El atacante necesita acceso de escritura al sistema de archivos en la máquina host. Si la ruta de Java incluye un espacio, entonces el atacante puede elevar su privilegio al mismo que el servicio Traccar (system). Esto se corregido en la versión 4.12

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-02-02 CVE Published
2023-10-19 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-428: Unquoted Search Path or Element

CAPEC

References (3)

URL	Tag	Source
https://github.com/traccar/traccar/security/advisories/GHSA-j75r-7qm5-62q5	Third Party Advisory
https://www.traccar.org	Product

URL	Date	SRC

URL	Date	SRC
https://github.com/traccar/traccar/commit/cc69a9907ac9878db3750aa14ffedb28626455da	2021-02-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Traccar Search vendor "Traccar"	Traccar Search vendor "Traccar" for product "Traccar"	< 4.12 Search vendor "Traccar" for product "Traccar" and version " < 4.12"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe