CVE-2013-3661

EPSS 1.76%
Veröffentlicht 24.05.2013 20:55:01
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not check whether linked-list traversal is continually accessing the same list member, which allows local users to cause a denial of service (infinite traversal) via vectors that trigger a crafted PATHRECORD chain.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microsoft ≫ Windows 7 Version- Updatesp1 Editionx64

Microsoft ≫ Windows 7 Version- Updatesp1 Editionx86

Microsoft ≫ Windows 8 Version- Update- Editionx64

Microsoft ≫ Windows 8 Version- Update- Editionx86

Microsoft ≫ Windows Rt Version-

Microsoft ≫ Windows Server 2003 Updatesp2

Microsoft ≫ Windows Server 2008 Version- Updatesp2

Microsoft ≫ Windows Server 2008 Versionr2 Updatesp1

Microsoft ≫ Windows Server 2012 Version-

Microsoft ≫ Windows Vista Version- Updatesp2

Microsoft ≫ Windows Xp Updatesp3

Microsoft ≫ Windows Xp Version- Updatesp2 Editionx64

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.76%	0.82

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.9	3.9	6.9	AV:L/AC:L/Au:N/C:N/I:N/A:C

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.html

http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0006.html

http://secunia.com/advisories/53435

Vendor Advisory

http://twitter.com/taviso/statuses/335557286657400832

http://www.computerworld.com/s/article/9239477

http://www.exploit-db.com/exploits/25611/

http://www.osvdb.org/93539

http://www.reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability/

http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flaw

https://nvd.nist.gov/vuln/detail/CVE-2013-3661

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2013-3661

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2013-3661

EUVD