CVE-2017-6445

Опубликовано: 05 мар. 2017

Источник: nvd

CVSS3: 8.1

CVSS2: 7.6

EPSS Низкий

Описание

The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely.

Ссылки

http://www.securityfocus.com/bid/96580
https://tech.feedyourhead.at/content/openelec-cve-2017-6445-revisited
https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle
Exploit
Technical Description
Third Party Advisory
http://www.securityfocus.com/bid/96580
https://tech.feedyourhead.at/content/openelec-cve-2017-6445-revisited
https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle
Exploit
Technical Description
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:o:openelec:openelec:6.0.3:*:*:*:*:*:*:*

cpe:2.3:o:openelec:openelec:7.0.1:*:*:*:*:*:*:*

EPSS

Процентиль: 51%

0.00276

Низкий

8.1 High

CVSS3

7.6 High

CVSS2

Дефекты

CWE-311

Связанные уязвимости

GHSA-9rcx-w9pg-pvf5