CVE-2017-8921 — Path Traversal in Flightgear

CWE-22 — Path Traversal4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 30.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Flightgear Debian Flightgear

Timeline

PublishedMay 12

Latest updateMay 17

Description

In FlightGear before 2017.2.1, the FGCommand interface allows overwriting any file the user has write access to, but not with arbitrary data: only with the contents of a FlightGear flightplan (XML). A resource such as a malicious third-party aircraft could exploit this to damage files belonging to the user. Both this issue and CVE-2016-9956 are directory traversal vulnerabilities in Autopilot/route_mgr.cxx - this one exists because of an incomplete fix for CVE-2016-9956.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/flightgear< flightgear 1:2016.4.4+dfsg-3 (bookworm)

▶Debianflightgear/flightgear< 1:2016.4.4+dfsg-3+3

▶NVDflightgear/flightgear2017.2

Patches

Patch: sourceforge.net ↗Patch: sourceforge.net ↗

🔴Vulnerability Details

GHSA

GHSA-cm86-qqq5-r5v2: In FlightGear before 2017↗2022-05-17

▶

OSV

CVE-2017-8921: In FlightGear before 2017↗2017-05-12

▶

📋Vendor Advisories

Debian

CVE-2017-8921: flightgear - In FlightGear before 2017.2.1, the FGCommand interface allows overwriting any fi...↗2017

▶