CVE-2017-17662 Information

Feb 14, 2021 cve

Description

Directory traversal in the HTTP server on Yawcam 0.2.6 through 0.6.0 devices allows attackers to read arbitrary files through a sequence of the form ‘.x./’ or ‘….\x/’ where x is a pattern composed of one or more (zero or more for the second pattern) of either \ or ..\ – for example a ‘.\./’ ‘….\/’ or ‘…\./’ sequence. For files with no extension a single dot needs to be appended to ensure the HTTP server does not alter the request e.g. a \GET /.\./.\./.\./.\./.\./.\./.\./windows/system32/drivers/etc/hosts.\ request.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://packetstormsecurity.com/files/145770/Yawcam-0.6.0-Directory-Traversal.html http://www.yawcam.com/news.php

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5

Share on: