CVE-2017-8921

{"id": "CVE-2017-8921", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2017-05-12T19:29:00.300", "references": [{"url": "https://sourceforge.net/p/flightgear/flightgear/ci/faf872e7f71ca14c567ac7080561fc785d8d2fd0/", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "In FlightGear before 2017.2.1, the FGCommand interface allows overwriting any file the user has write access to, but not with arbitrary data: only with the contents of a FlightGear flightplan (XML). A resource such as a malicious third-party aircraft could exploit this to damage files belonging to the user. Both this issue and CVE-2016-9956 are directory traversal vulnerabilities in Autopilot/route_mgr.cxx - this one exists because of an incomplete fix for CVE-2016-9956."}, {"lang": "es", "value": "En FlightGear anterior a versi\u00f3n 2017.2.1, la interfaz FGCommand permite sobrescribir cualquier archivo al que el usuario tenga acceso de escritura, pero no con datos arbitrarios: solo con el contenido de un flightplan (XML) de FlightGear. Un recurso como un aeronave maliciosa de terceros podr\u00eda explotar esto para da\u00f1ar los archivos que pertenecen al usuario. Tanto este problema y el CVE-2016-9956 son vulnerabilidades de salto de directorio en el archivo Autopilot/route_mgr.cxx; este se presenta debido a una soluci\u00f3n incompleta para el CVE-2016-9956."}], "lastModified": "2017-05-26T18:13:36.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flightgear:flightgear:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82D731B1-5535-44CE-B59D-6D21D6A99E5B", "versionEndIncluding": "2017.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}