id Tech 3 -- remote code execution vulnerability

2017-03-1400:00:00

vuxml.freebsd.org

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

55.8%

JSON

The content auto-download of id Tech 3 can be used to deliver
maliciously crafted content, that triggers downloading of
further content and loading and executing it as native code
with user credentials. This affects ioquake3, ioUrbanTerror,
OpenArena, the original Quake 3 Arena and other forks.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchioquake3< 1.36_16UNKNOWN
FreeBSDanynoarchioquake3-devel< g2930UNKNOWN
FreeBSDanynoarchiourbanterror< 4.3.2,1UNKNOWN
FreeBSDanynoarchopenarena< 0.8.8.s1910_3,1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	ioquake3	< 1.36_16	UNKNOWN
FreeBSD	any	noarch	ioquake3-devel	< g2930	UNKNOWN
FreeBSD	any	noarch	iourbanterror	< 4.3.2,1	UNKNOWN
FreeBSD	any	noarch	openarena	< 0.8.8.s1910_3,1	UNKNOWN