CVE-2017-17662

Опубликовано: 10 янв. 2018

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Directory traversal in the HTTP server on Yawcam 0.2.6 through 0.6.0 devices allows attackers to read arbitrary files through a sequence of the form '.x./' or '....\x/' where x is a pattern composed of one or more (zero or more for the second pattern) of either \ or ..\ -- for example a '../', '..../' or '..../' sequence. For files with no extension, a single dot needs to be appended to ensure the HTTP server does not alter the request, e.g., a "GET /../../../../../../../windows/system32/drivers/etc/hosts." request.

Ссылки

http://packetstormsecurity.com/files/145770/Yawcam-0.6.0-Directory-Traversal.html
Exploit
Third Party Advisory
VDB Entry
http://www.yawcam.com/news.php
Vendor Advisory
http://packetstormsecurity.com/files/145770/Yawcam-0.6.0-Directory-Traversal.html
Exploit
Third Party Advisory
VDB Entry
http://www.yawcam.com/news.php
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:yawcam:yawcam:*:*:*:*:*:*:*:*

Версия от 0.2.6 (включая) до 0.6.0 (включая)

EPSS

Процентиль: 87%

0.03553

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-f3m9-fjq3-x8h8

CVSS3: 7.5

github

больше 3 лет назад

Directory traversal in the HTTP server on Yawcam 0.2.6 through 0.6.0 devices allows attackers to read arbitrary files through a sequence of the form '.x./' or '....\x/' where x is a pattern composed of one or more (zero or more for the second pattern) of either \ or ..\ -- for example a '.\./', '....\/' or '...\./' sequence. For files with no extension, a single dot needs to be appended to ensure the HTTP server does not alter the request, e.g., a "GET /.\./.\./.\./.\./.\./.\./.\./windows/system32/drivers/etc/hosts." request.

EPSS

Процентиль: 87%

0.03553

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-22