Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2017-3209
HistoryJul 24, 2018 - 3:29 p.m.

CVE-2017-3209

2018-07-2415:29:00
CWE-306
CWE-276
[email protected]
web.nvd.nist.gov
35
dbpower
u818a
wifi
quadcopter
drone
ftp
access
vulnerability
security
filesystem
permissions
anonymous access
device
busybox
vulnerability

4.8 Medium

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:P/I:P/A:N

8.1 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.4%

JSON

The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user. The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows anonymous access without a password, and provides full filesystem read/write permissions to the anonymous user. A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files, such as images and video recorded by the device, or to replace system files such as /etc/shadow to gain further access to the device. Furthermore, the DBPOWER U818A WIFI quadcopter drone uses BusyBox 1.20.2, which was released in 2012, and may be vulnerable to other known BusyBox vulnerabilities.

Affected configurations

NVD
Node
busyboxbusyboxMatch-
OR
dbpoweru818aMatch-
AND
dbpoweru818a_firmwareMatch-

CNA Affected

[
  {
    "product": "U818A WiFi Quadcopter Drone",
    "vendor": "DBPOWER",
    "versions": [
      {
        "status": "unknown",
        "version": "N/A"
      }
    ]
  }
]

Related

nvd 1
cert 1
prion 1
cvelist 1
nvd
nvd
CVE-2017-3209
2018-07-24 15:29:00
cert
cert
DBPOWER U818A WIFI quadcopter drone allows full filesystem permissions to anonymous FTP
2017-04-11 00:00:00
prion
prion
Design/Logic Flaw
2018-07-24 15:29:00
cvelist
cvelist
CVE-2017-3209 The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user
2018-07-24 15:00:00

4.8 Medium

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:P/I:P/A:N

8.1 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.4%

JSON
Related for CVE-2017-3209
nvd1cert1prion1cvelist1