ByteOS Network

NVD Vulnerability Details :

CVE-2017-6903

Deferred

Source-cve@mitre.org

Published At-14 Mar, 2017 | 22:59

Updated At-20 Apr, 2025 | 01:37

In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary	2.0	9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C

Type: Primary

Version: 3.0

Base score: 7.8

Base severity: HIGH

Vector:

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Type: Primary

Version: 2.0

Base score: 9.3

Base severity: HIGH

Vector:

AV:N/AC:M/Au:N/C:C/I:C/A:C

CPE Matches

ioquake3>>ioquake3>>Versions up to 2017-02-27(inclusive)

cpe:2.3:a:ioquake3:ioquake3:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
NVD-CWE-noinfo	Primary	nvd@nist.gov

CWE ID: NVD-CWE-noinfo

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
http://www.debian.org/security/2017/dsa-3812	cve@mitre.org	N/A
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699	cve@mitre.org	Third Party Advisory
https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7	cve@mitre.org	Issue Tracking Patch
https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd	cve@mitre.org	Issue Tracking Patch
https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372	cve@mitre.org	Issue Tracking Patch
https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d	cve@mitre.org	Issue Tracking Patch
https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998	cve@mitre.org	Issue Tracking Patch
https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1	cve@mitre.org	Issue Tracking Patch
https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20	cve@mitre.org	Issue Tracking Patch
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/	cve@mitre.org	Vendor Advisory
http://www.debian.org/security/2017/dsa-3812	af854a3a-2127-422b-91ae-364da2661108	N/A
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699	af854a3a-2127-422b-91ae-364da2661108	Third Party Advisory
https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7	af854a3a-2127-422b-91ae-364da2661108	Issue Tracking Patch
https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd	af854a3a-2127-422b-91ae-364da2661108	Issue Tracking Patch
https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372	af854a3a-2127-422b-91ae-364da2661108	Issue Tracking Patch
https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d	af854a3a-2127-422b-91ae-364da2661108	Issue Tracking Patch
https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998	af854a3a-2127-422b-91ae-364da2661108	Issue Tracking Patch
https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1	af854a3a-2127-422b-91ae-364da2661108	Issue Tracking Patch
https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20	af854a3a-2127-422b-91ae-364da2661108	Issue Tracking Patch
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/	af854a3a-2127-422b-91ae-364da2661108	Vendor Advisory