FreeBSD2A8B7D21-1ECC-11E5-A4A5-002590263BF5wesnoth -- disclosure of .pbl files with lowercase, uppercase, and mixed-case extension
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.002 Low
EPSS
Percentile
55.4%
Ignacio R. Morelle reports:
As mentioned in the Wesnoth 1.12.4 and Wesnoth 1.13.1 release
announcements, a security vulnerability targeting add-on authors
was found (bug #23504) which allowed a malicious user to obtain
add-on server passphrases from the client’s .pbl files and transmit
them over the network, or store them in saved game files intended
to be shared by the victim. This vulnerability affects all existing
releases up to and including versions 1.12.2 and 1.13.0.
Additionally, version 1.12.3 included only a partial fix that failed
to guard users against attempts to read from .pbl files with an
uppercase or mixed-case extension. CVE-2015-5069 and CVE-2015-5070
have been assigned to the vulnerability affecting .pbl files with a
lowercase extension, and .pbl files with an uppercase or mixed-case
extension, respectively.
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.002 Low
EPSS
Percentile
55.4%