Vulnerability Details CVE-2017-17662
Directory traversal in the HTTP server on Yawcam 0.2.6 through 0.6.0 devices allows attackers to read arbitrary files through a sequence of the form '.x./' or '....\x/' where x is a pattern composed of one or more (zero or more for the second pattern) of either \ or ..\ -- for example a '.\./', '....\/' or '...\./' sequence. For files with no extension, a single dot needs to be appended to ensure the HTTP server does not alter the request, e.g., a "GET /.\./.\./.\./.\./.\./.\./.\./windows/system32/drivers/etc/hosts." request.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.037
EPSS Ranking 87.5%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2017-17662
-
cpe:2.3:a:yawcam:yawcam:0.2.6
-
cpe:2.3:a:yawcam:yawcam:0.3.0
-
cpe:2.3:a:yawcam:yawcam:0.3.1
-
cpe:2.3:a:yawcam:yawcam:0.3.2
-
cpe:2.3:a:yawcam:yawcam:0.3.3
-
cpe:2.3:a:yawcam:yawcam:0.3.4
-
cpe:2.3:a:yawcam:yawcam:0.3.5
-
cpe:2.3:a:yawcam:yawcam:0.3.6
-
cpe:2.3:a:yawcam:yawcam:0.3.7
-
cpe:2.3:a:yawcam:yawcam:0.3.8
-
cpe:2.3:a:yawcam:yawcam:0.3.9
-
cpe:2.3:a:yawcam:yawcam:0.4.0
-
cpe:2.3:a:yawcam:yawcam:0.4.1
-
cpe:2.3:a:yawcam:yawcam:0.4.2
-
cpe:2.3:a:yawcam:yawcam:0.5.0
-
cpe:2.3:a:yawcam:yawcam:0.6.0