CVE-2017-6466

EPSS 0.75%
Published 11.03.2017 06:59:00
Last modified 20.04.2025 01:37:25
Source cve@mitre.org
Teams watchlist Login
Open Login

F-Secure Software Updater 2.20, as distributed in several F-Secure products, downloads installation packages over plain http and does not perform file integrity validation after download. Man-in-the-middle attackers can replace the file with their own executable which will be executed under the SYSTEM account. Note that when Software Updater is configured to install updates automatically, it checks if the downloaded file is digitally signed by default, but does not check the author of the signature. When running in manual mode (default), no signature check is performed.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

F-secure ≫ Software Updater Version2.20

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.75%	0.708

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://seclists.org/fulldisclosure/2017/Mar/28

Third Party Advisory

Mailing List

http://www.securityfocus.com/bid/96784

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2017-6466

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-6466

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-6466

EUVD