CVE-2017-3141

Exploit

EPSS 2.55%
Published 16.01.2019 20:29:00
Last modified 21.11.2024 03:24:55
Source security-officer@isc.org
Teams watchlist Login
Open Login

The BIND installer on Windows uses an unquoted service path which can enable a local user to achieve privilege escalation if the host file system permissions allow this. Affects BIND 9.2.6-P2->9.2.9, 9.3.2-P1->9.3.6, 9.4.0->9.8.8, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, 9.10.5-S1.

Affected products Warnungen 0 Metrics 4 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Isc ≫ Bind Version >= 9.2.6 <= 9.2.9

Isc ≫ Bind Version >= 9.3.2 <= 9.3.6

Isc ≫ Bind Version >= 9.4.0 <= 9.8.8

Isc ≫ Bind Version >= 9.9.0 <= 9.9.10

Isc ≫ Bind Version >= 9.10.0 <= 9.10.5

Isc ≫ Bind Version >= 9.11.0 <= 9.11.1

Isc ≫ Bind Version9.2.6 Updatep2

Isc ≫ Bind Version9.3.2 Updatep1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.55%	0.841

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
security-officer@isc.org	7.2	0.6	6	CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE-428 Unquoted Search Path or Element

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

https://security.gentoo.org/glsa/201708-01

Third Party Advisory

https://security.netapp.com/advisory/ntap-20180926-0001/

Third Party Advisory

http://www.securityfocus.com/bid/99089

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1038693

Third Party Advisory

VDB Entry

https://kb.isc.org/docs/aa-01496

Vendor Advisory